Selecting network security investigation timelines based on identifiers

ABSTRACT

Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims benefit under 35 U.S.C. § 120 as a Continuationof U.S. application Ser. No. 14/815,983, filed Aug. 1, 2015, the entirecontents of which is hereby incorporated by reference for all purposesas if fully set forth herein. The applicant(s) hereby rescind anydisclaimer of claim scope in the parent application(s) or theprosecution history thereof and advise the USPTO that the claims in thisapplication may be broader than any claim in the parent application(s).

TECHNICAL FIELD

Embodiments relate generally to computer network security, and, morespecifically, to techniques for enabling network security analysts toefficiently identify, investigate, and report on incidents related tothe security of a computer network.

BACKGROUND

The approaches described in this section are approaches that could bepursued, but not necessarily approaches that have been previouslyconceived or pursued. Therefore, unless otherwise indicated, it shouldnot be assumed that any of the approaches described in this sectionqualify as prior art merely by virtue of their inclusion in thissection.

The vast majority of organizations today rely on computer networks foran increasingly wide variety of business operations. As the reliance oncomputer networks has grown, so too has the importance securing thosenetworks against internal and external threats. To monitor and addresssuch threats, organizations increasingly rely on security informationand event management (SIEM) software and other applications to protecttheir networks.

A conventional network security application generally may provide anumber of graphical user interfaces that present information about datagenerated by network devices and applications that comprise a particularcomputer network. Tasked with investigating one or more particularsecurity incidents, a network security analyst typically may review andcollect information from any number of the provided interfaces and otherdata sources over the course of an investigation. To gather andcross-reference the information collected from these disparate sources,analysts may often use a cumbersome assortment of third partyapplications (e.g., text editors, word processors, email clients, etc.),and even pen and paper, in an attempt to understand the nature ofparticular network security incidents. The result of using suchapplications to conduct security investigations often produces aninconsistent investigation report that is difficult to understand andshare with others.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings:

FIG. 1 illustrates a networked computer environment in which anembodiment may be implemented;

FIG. 2 illustrates a block diagram of an example data intake and querysystem in which an embodiment may be implemented;

FIG. 3 is a flow diagram that illustrates how indexers process, index,and store data received from forwarders in accordance with the disclosedembodiments;

FIG. 4 is a flow diagram that illustrates how a search head and indexersperform a search query in accordance with the disclosed embodiments;

FIG. 5 illustrates a scenario where a common customer ID is found amonglog data received from three disparate sources in accordance with thedisclosed embodiments;

FIG. 6A illustrates a search screen in accordance with the disclosedembodiments;

FIG. 6B illustrates a data summary dialog that enables a user to selectvarious data sources in accordance with the disclosed embodiments;

FIG. 7A-7D illustrate a series of user interface screens for an exampledata model driven report generation interface in accordance with thedisclosed embodiments;

FIG. 8 illustrates an example search query received from a client andexecuted by search peers in accordance with the disclosed embodiments;

FIG. 9A illustrates a key indicators view in accordance with thedisclosed embodiments;

FIG. 9B illustrates an incident review dashboard in accordance with thedisclosed embodiments;

FIG. 9C illustrates a proactive monitoring tree in accordance with thedisclosed embodiments;

FIG. 9D illustrates a user interface screen displaying both log data andperformance data in accordance with the disclosed embodiments;

FIG. 10 illustrates a block diagram of an example cloud-based dataintake and query system in which an embodiment may be implemented;

FIG. 11 illustrates a block diagram of an example search support systemin accordance with the disclosed embodiments;

FIG. 12A illustrates a workflow log panel for use in a network securityapplication in accordance with the disclosed embodiments;

FIG. 12B illustrates an investigation timeline panel for use in anetwork security application in accordance with the disclosedembodiments;

FIG. 13 illustrates a workflow log panel overlaying a dashboardinterface in accordance with the disclosed embodiments;

FIG. 14 illustrates a workflow log panel, including a workflow logsettings panel and an expanded workflow log panel in accordance with thedisclosed embodiments;

FIG. 15 illustrates a detailed workflow log panel overlaying a dashboardinterface in accordance with the disclosed embodiments;

FIG. 16 illustrates a notes panel in accordance with the disclosedembodiments;

FIG. 17 illustrates a screenshot panel in accordance with the disclosedembodiments;

FIG. 18 illustrates an investigation timeline panel displayed inconjunction with a dashboard interface in accordance with the disclosedembodiments;

FIG. 19 illustrates an interface for adding an event to an investigationtimeline in accordance with the disclosed embodiments;

FIG. 20 illustrates an example interface displayed in response to addingan event to an investigation timeline in accordance with the disclosedembodiments;

FIG. 21 illustrates an example interface for adding a note at a selectedlocation on an investigation timeline in accordance with the disclosedembodiments;

FIG. 22 illustrates an example interface for adding a screenshot at aselected location on an investigation timeline in accordance with thedisclosed embodiments;

FIG. 23 illustrates an example interface for adding one or more users toan investigation in accordance with the disclosed embodiments;

FIG. 24 illustrates an example interface for displaying a list ofinvestigations to which a particular user is assigned in accordance withthe disclosed embodiments;

FIG. 25 illustrates an interface displaying an investigation timeline,where the investigation timeline includes multiple event types inaccordance with the disclosed embodiments;

FIG. 26 illustrates a storyboard interface for displaying eventsassociated with a particular investigation timeline in accordance withthe disclosed embodiments;

FIG. 27 illustrates an interface element for assigning an investigationstatus to an investigation timeline in accordance with the disclosedembodiments;

FIG. 28 illustrates an interface element for assigning an priority levelto an investigation timeline in accordance with the disclosedembodiments;

FIG. 29 illustrates an interface element for selecting visibility accesscontrols for an investigation timeline in accordance with the disclosedembodiments;

FIG. 30 illustrates an investigation timeline-specific interface inaccordance with the disclosed embodiments;

FIG. 31 illustrates an interface for displaying events associated with aparticular investigation timeline as a list in accordance with thedisclosed embodiments;

FIG. 32 illustrates grouping event graphical indications based on atimeline zoom level in accordance with the disclosed embodiments;

FIG. 33 illustrates an investigations management console in accordancewith the disclosed embodiments;

FIG. 34 illustrates a search interface for an investigations managementconsole in accordance with the disclosed embodiments;

FIG. 35 illustrates a canvas for refining an investigation timeline inaccordance with the disclosed embodiments;

FIG. 36 illustrates an interface for adding an asset to an investigationin accordance with the disclosed embodiments;

FIG. 37 illustrates an interface for displaying investigation timelineassets in accordance with the disclosed embodiments;

FIG. 38 is a flow diagram that illustrates generation of aninvestigation timeline display in accordance with the disclosedembodiments;

FIG. 39 is a flow diagram that illustrates monitoring and logginginvestigation workflow events and causing display of a workflow eventlog view in accordance with the disclosed embodiments;

FIG. 40 is a flow diagram that illustrates generation of aninvestigation management console display in accordance with thedisclosed embodiments.

FIG. 41 illustrates a computer system upon which an embodiment may beimplemented.

DETAILED DESCRIPTION

In the following description, for the purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the present invention. It will be apparent, however,that the present invention may be practiced without these specificdetails. In other instances, well-known structures and devices are shownin block diagram form in order to avoid unnecessarily obscuring thepresent invention.

Embodiments are described herein according to the following outline:

1.0. General Overview

2.0. Operating Environment

-   -   2.1. Host Devices    -   2.2. Client Devices    -   2.3. Client Device Applications    -   2.4. Data Server System    -   2.5. Data Ingestion        -   2.5.1. Input        -   2.5.2. Parsing        -   2.5.3. Indexing    -   2.6. Query Processing    -   2.7. Field Extraction    -   2.8. Example Search Screen    -   2.9. Data Modelling    -   2.10. Acceleration Techniques        -   2.10.1. Aggregation Technique        -   2.10.2. Keyword Index        -   2.10.3. High Performance Analytics Store        -   2.10.4. Accelerating Report Generation    -   2.11. Security Features    -   2.12. Data Center Monitoring    -   2.13. Cloud-Based System Overview    -   2.14. Searching Externally Archived Data        -   2.14.1. ERP Process Features

3.0. Functional Overview

-   -   3.1. Investigation Workflow Logging    -   3.2. Investigation Timelines    -   3.3. Investigation Management

4.0. Implementation Examples

-   -   4.1. Generating Investigation Timeline Views    -   4.2. Generating Workflow Event Log Views    -   4.3. Generating Management Console Views

5.0. Example Embodiments

6.0. Implementation Mechanism—Hardware Overview

7.0. Extensions and Alternatives

1.0. General Overview

Modern data centers and other computing environments can compriseanywhere from a few host computer systems to thousands of systemsconfigured to process data, service requests from remote clients, andperform numerous other computational tasks. During operation, variouscomponents within these computing environments often generatesignificant volumes of machine-generated data. In general,machine-generated data can include performance data, diagnosticinformation, and many other types of data that can be analyzed todiagnose performance problems, monitor user interactions, and to deriveother insights.

A number of tools are available to analyze machine data, that is,machine-generated data. In order to reduce the size of the potentiallyvast amount of machine data that may be generated, many of these toolstypically pre-process the data based on anticipated data-analysis needs.For example, pre-specified data items may be extracted from the machinedata and stored in a database to facilitate efficient retrieval andanalysis of those data items at search time. However, the rest of themachine data typically is not saved and is discarded duringpre-processing. As storage capacity becomes progressively cheaper andmore plentiful, there are fewer incentives to discard these portions ofmachine data and many reasons to retain more of the data.

This plentiful storage capacity is presently making it feasible to storemassive quantities of minimally processed machine data for laterretrieval and analysis. In general, storing minimally processed machinedata and performing analysis operations at search time can providegreater flexibility because it enables an analyst to search all of themachine data, instead of searching only a pre-specified set of dataitems. This may, for example, enable an analyst to investigate differentaspects of the machine data that previously were unavailable foranalysis.

However, analyzing and searching massive quantities of machine datapresents a number of challenges. For example, a data center, servers, ornetwork appliances, may generate many different types and formats ofmachine data (e.g., system logs, network packet data (e.g., wire data,etc.), sensor data, application program data, error logs, stack traces,system performance data, etc.) from thousands of different components,which can collectively be very time-consuming to analyze. In anotherexample, mobile devices may generate large amounts of informationrelating to data accesses, application performance, operating systemperformance, network performance, etc. The number of mobile devices thatreport these types of information can number in the millions. Also, theunstructured nature of much of this machine data can pose additionalchallenges because of the difficulty of applying semantic meaning tounstructured data, and the difficulty of indexing and queryingunstructured data using traditional database systems.

These challenges can be addressed by using an event-based data intakeand query system, such as the SPLUNK® ENTERPRISE system produced bySplunk Inc. of San Francisco, Calif. The SPLUNK® ENTERPRISE system isthe leading platform for providing real-time operational intelligencethat enables organizations to collect, index, and searchmachine-generated data from various websites, applications, servers,networks, and mobile devices that power their businesses. The SPLUNK®ENTERPRISE system is particularly useful for analyzing unstructureddata, which is commonly found in system log files, network data, andother data input sources. Although many of the techniques describedherein are explained with reference to a data intake and query systemsimilar to the SPLUNK® ENTERPRISE system, the techniques are alsoapplicable to other types of data systems.

In the SPLUNK® ENTERPRISE system, machine-generated data is collectedand stored as “events,” where each event comprises a portion of themachine-generated data and is associated with a specific point in time.For example, events may be derived from “time series data,” where thetime series data comprises a sequence of data points (e.g., performancemeasurements from a computer system, etc.) that are associated withsuccessive points in time. In general, each event can be associated witha timestamp that is derived from the raw data in the event, determinedthrough interpolation between temporally proximate events having knowntimestamps, determined based on other configurable rules for assigningtimestamps to events, etc.

Events can be derived from either “structured” or “unstructured” machinedata. In general, structured data has a predefined format, where dataitems with specific data formats are stored at predefined locations inthe data. For example, structured data may include data stored as fieldsin a database table. In contrast, unstructured data may not have apredefined format, that is, the data is not at fixed, predefinedlocations, but the data does have repeatable patterns and is not random.This means that unstructured data can comprise various data items ofdifferent data types and that may be stored at different locationswithin the data. For example, when the data source is an operatingsystem log, an event can include one or more lines from the operatingsystem log containing raw data that includes different types ofperformance and diagnostic information associated with a specific pointin time.

Examples of components which may generate machine data from which eventscan be derived include, but are not limited to, web servers, applicationservers, databases, firewalls, routers, operating systems, and softwareapplications that execute on computer systems, mobile devices, sensors,etc. The data generated by such data sources can include, for exampleand without limitation, server log files, activity log files,configuration files, messages, network packet data, performancemeasurements, sensor measurements, etc.

The SPLUNK® ENTERPRISE system also facilitates using a flexible schemato specify how to extract information from the event data, where theflexible schema may be developed and redefined as needed. Note that aflexible schema may be applied to event data “on the fly,” when it isneeded (e.g., at search time, index time, ingestion time, etc.). Becausethe schema is not applied to event data until it is needed (e.g., atsearch time, index time, ingestion time, etc.), it may be referred to asa “late-binding schema.”

During operation, the SPLUNK® ENTERPRISE system starts with raw inputdata (e.g., one or more system logs, streams of network packet data,sensor data, application program data, error logs, stack traces, systemperformance data, etc.). The system divides this raw data into blocks(e.g., buckets of data, each associated with a specific time frame,etc.), and parses the raw data to produce timestamped events. The systemstores the timestamped events in a data store, and enables users to runqueries against the stored data to, for example, retrieve events thatmeet criteria specified in a query, such as containing certain keywordsor having specific values in defined fields. In this context, the term“field” refers to a location in the event data containing a value for aspecific data item.

As noted above, the SPLUNK® ENTERPRISE system facilitates applying alate-binding schema to event data while performing queries on events.One aspect of a late-binding schema is “extraction rules” that areapplied to data in the events to extract values for specific fields.More specifically, the extraction rules for a field can include one ormore instructions that specify how to extract a value for the field fromthe event data. An extraction rule can generally include any type ofinstruction for extracting values from data in events. In some cases, anextraction rule comprises a regular expression where a sequence ofcharacters form a search pattern, in which case the rule is referred toas a “regex rule.” The system applies the regex rule to the event datain order to identify where the associated field occurs in the event databy searching the event data for the sequence of characters defined inthe regex rule.

In the SPLUNK® ENTERPRISE system, a field extractor may be configured toautomatically generate extraction rules for certain fields in the eventswhen the events are being created, indexed, or stored, or possibly at alater time. Alternatively, a user may manually define extraction rulesfor fields using a variety of techniques. In contrast to a conventionalschema for a database system, a late-binding schema is not defined atdata ingestion time. Instead, the late-binding schema can be developedon an ongoing basis until the time a query is actually executed. Thismeans that extraction rules for the fields in a query may be provided inthe query itself, or may be located during execution of the query.Hence, as an analyst learns more about the data in the events, theanalyst can continue to refine the late-binding schema by adding newfields, deleting fields, or modifying the field extraction rules for usethe next time the schema is used by the system. Because the SPLUNK®ENTERPRISE system maintains the underlying raw data and useslate-binding schemas for searching the raw data, it enables an analystto investigate questions that arise as the analyst learns more about theevents.

In some embodiments, a common field name may be used to reference two ormore fields containing equivalent data items, even though the fields maybe associated with different types of events that possibly havedifferent data formats and different extraction rules. By enabling acommon field name to be used to identify equivalent fields fromdifferent types of events generated by disparate data sources, thesystem facilitates use of a “common information model” (CIM) across thedisparate data sources (further discussed with respect to FIG. 5).

2.0. Operating Environment

FIG. 1 illustrates a networked computer system 100 in which anembodiment may be implemented. FIG. 1 represents an example embodimentthat is provided for purposes of illustrating a clear example; otherembodiments may use different arrangements.

The networked computer system 100 comprises one or more computingdevices. These one or more computing devices comprise any combination ofhardware and software configured to implement the various logicalcomponents described herein. For example, the one or more computingdevices may include one or more memories that store instructions forimplementing the various components described herein, one or morehardware processors configured to execute the instructions stored in theone or more memories, and various data repositories in the one or morememories for storing data structures utilized and manipulated by thevarious components.

In an embodiment, one or more client devices 102 are coupled to one ormore host devices 106 and a data intake and query system 108 via one ormore networks 104. Networks 104 broadly represent one or more LANs,WANs, cellular networks (e.g., LTE, HSPA, 3G, and other cellulartechnologies), and/or internetworks using any of wired, wireless,terrestrial microwave, or satellite links, and may include the publicInternet.

2.1. Host Devices

In an embodiment, a system 100 includes one or more host devices 106.Host devices 106 may broadly include any number of computers, virtualmachine instances, and/or data centers that are configured to host orexecute one or more instances of host applications 114. In general, ahost device 106 may be involved, directly or indirectly, in processingrequests received from client devices 102. For example, each host device106 may comprise, for example, one or more of a network device, a webserver, an application server, a database server, etc. A collection ofhost devices 106 may be configured to implement a network-based service.For example, a provider of a network-based service may configure one ormore host devices 106 and host applications 114 (e.g., one or more webservers, application servers, database servers, etc.) to collectivelyimplement the network-based application.

In general, client devices 102 communicate with one or more hostapplications 114 to exchange information. The communication between aclient device 102 and a host application 114 may, for example, be basedon the Hypertext Transfer Protocol (HTTP) or any other network protocol.Content delivered from the host application 114 to a client device 102may include, for example, HTML documents, media content, etc. Thecommunication between a client device 102 and host application 114 mayinclude various request and response packets. For example, in general, aclient device 102 may initiate communication with a host application 114by making a request for a specific resource (e.g., based on an HTTPrequest), and the application server may respond with the requestedcontent stored in one or more response packets.

In an embodiment, one or more of host applications 114 may generatevarious types of performance data during operation, including eventlogs, network data, sensor data, and other types of machine-generateddata. For example, a host application 114 comprising a web server maygenerate one or more web server logs in which details of interactionsbetween the web server and any number of client devices 102 is recorded.As another example, a host device 106 comprising a router may generateone or more router logs that record information related to networktraffic managed by the router. As yet another example, a hostapplication 114 comprising database server may generate one or more logsthat record information related to requests sent from other hostapplications 114 (e.g., web servers or application servers) for datamanaged by the database server.

2.2. Client Devices

Client devices 102 of FIG. 1 broadly represent any computing devicecapable of interacting with one or more host devices 106 via a network104. Examples of client devices 102 may include, without limitation,smart phones, tablet computers, other handheld computers, wearabledevices, laptop computers, desktop computers, servers, portable mediaplayers, gaming devices, and so forth. In general, a client device 102can provide access to different content, for instance, content providedby one or more host devices 106. Each client device 102 may comprise oneor more client applications 110, described in more detail in a separatesection hereinafter.

2.3. Client Device Applications

In an embodiment, each client device 102 may host or execute one or moreclient applications 110 that are capable of interacting with one or morehost devices 106 via one or more networks 104. For instance, a clientapplication 110 may be or comprise a web browser which a user maynavigate to one or more websites or other resources provided by one ormore host devices 106. As another example, a client application 110 maycomprise a mobile application or “app.” For example, an operator of anetwork-based service hosted by one or more host devices 106 may makeavailable one or more mobile apps that enable users of client devices102 to access various resources of the network-based service. As yetanother example, client applications 110 may include backgroundprocesses that perform various operations without direct interactionfrom a user. A client application 110 may include a “plug-in” or“extension” to another application, such as a web browser plug-in orextension.

In an embodiment, a client application 110 may include a monitoringcomponent 112. At a high level, the monitoring component 112 comprises asoftware component or other logic that facilitates generatingperformance data related to a client device's operating state, includingmonitoring network traffic sent and received from the client device andcollecting other device and/or application-specific information.Monitoring component 112 may be an integrated component of a clientapplication 110, a plug-in, an extension, or any other type of add-on tothe application. Monitoring component 112 may also be a stand-aloneprocess.

In one embodiment, a monitoring component 112 may be created when aclient application 110 is developed, for example, by an applicationdeveloper using a software development kit (SDK). The SDK may, forexample, include custom monitoring code that can be incorporated intothe code implementing a client application 110. When the code isconverted to an executable application, the custom code implementing themonitoring functionality can become part of the application itself.

In some cases, an SDK or other code for implementing the monitoringfunctionality may be offered by a provider of a data intake and querysystem, such as a system 108. In such cases, the provider of the system108 can implement the custom code such that performance data generatedby the monitoring functionality is sent to the system 108 to facilitateanalysis of the performance data by a developer of the clientapplication or other users.

In an embodiment, the custom monitoring code may be incorporated intothe code of a client application 110 in a number of different ways, suchas the insertion of one or more lines in the client application codethat call or otherwise invoke the monitoring component 112. As such, adeveloper of a client application 110 can add one or more lines of codeinto the client application 110 to trigger the monitoring component 112at desired points during execution of the application. Code thattriggers the monitoring component may be referred to as a monitortrigger. For instance, a monitor trigger may be included at or near thebeginning of the executable code of the client application 110 such thatthe monitoring component 112 is initiated or triggered as theapplication is launched, or included at other points in the code thatcorrespond to various actions of the client application, such as sendinga network request or displaying a particular interface.

In an embodiment, the monitoring component 112 may monitor one or moreaspects of network traffic sent and/or received by a client application110. For example, the monitoring component 112 may be configured tomonitor data packets transmitted to and/or from one or more hostapplications 114. Incoming and/or outgoing data packets can be read orexamined to identify network data contained within the packets, forexample, and other aspects of data packets can be analyzed to determinea number of network performance statistics. Monitoring network trafficmay enable information to be gathered particular to the networkperformance associated with a client application 110 or set ofapplications.

In an embodiment, network performance data refers to any type of datathat indicates information about the network and/or network performance.Network performance data may include, for instance, a URL requested, aconnection type (e.g., HTTP, HTTPS, etc.), a connection start time, aconnection end time, an HTTP status code, request length, responselength, request headers, response headers, connection status (e.g.,completion, response time(s), failure, etc.), and the like. Uponobtaining network performance data indicating performance of thenetwork, the network performance data can be transmitted to a dataintake and query system 108 for analysis.

Upon developing a client application 110 that incorporates a monitoringcomponent 112, the client application 110 can be distributed to clientdevices 102. Applications generally can be distributed to client devices102 in any manner. In some cases, the application may be distributed toa client device 102 via an application marketplace or other applicationdistribution system. For instance, an application marketplace or otherapplication distribution system might distribute the application to aclient device based on a request from the client device to download theapplication.

Examples of functionality that enables monitoring performance of aclient device are described in U.S. patent application Ser. No.14/524,748, entitled “UTILIZING PACKET HEADERS TO MONITOR NETWORKTRAFFIC IN ASSOCIATION WITH A CLIENT DEVICE”, filed on 27 Oct. 2014, andwhich is hereby incorporated by reference in its entirety for allpurposes.

In an embodiment, the monitoring component 112 may also monitor andcollect performance data related to one or more aspects of theoperational state of a client application 110 and/or client device 102.For example, a monitoring component 112 may be configured to collectdevice performance information by monitoring one or more client deviceoperations, or by making calls to an operating system and/or one or moreother applications executing on a client device 102 for performanceinformation. Device performance information may include, for instance, acurrent wireless signal strength of the device, a current connectiontype and network carrier, current memory performance information, ageographic location of the device, a device orientation, and any otherinformation related to the operational state of the client device.

In an embodiment, the monitoring component 112 may also monitor andcollect other device profile information including, for example, a typeof client device, a manufacturer and model of the device, versions ofvarious software applications installed on the device, and so forth.

In general, a monitoring component 112 may be configured to generateperformance data in response to a monitor trigger in the code of aclient application 110 or other triggering application event, asdescribed above, and to store the performance data in one or more datarecords. Each data record, for example, may include a collection offield-value pairs, each field-value pair storing a particular item ofperformance data in association with a field for the item. For example,a data record generated by a monitoring component 112 may include a“networkLatency” field in which a value is stored indicating a networklatency measurement associated with one or more network requests, a“state” field to store a value indicating a state of a networkconnection, and so forth for any number of aspects of collectedperformance data.

2.4. Data Server System

FIG. 2 depicts a block diagram of an example data intake and querysystem 108, similar to the SPLUNK® ENTERPRISE system. System 108includes one or more forwarders 204 that consume data from a variety ofinput data sources 202, and one or more indexers 206 that process andstore the data in one or more data stores 208. These forwarders andindexers can comprise separate computer systems, or may alternativelycomprise separate processes executing on one or more computer systems.

Each data source 202 broadly represents a source of data that can beconsumed by a system 108. Examples of a data source 202 include, withoutlimitation, data files, directories of files, data sent over a network,event logs, registries, etc.

During operation, the forwarders 204 identify which indexers 206 receivedata collected from a data source 202 and forward the data to theappropriate indexers. Forwarders 204 can also perform operations on thedata before forwarding, including removing extraneous data, detectingtimestamps in the data, parsing data, indexing data, routing data basedon criteria relating to the data being routed, and/or performing otherdata transformations.

In an embodiment, a forwarder 204 may comprise a service accessible toclient devices 102 and host devices 106 via a network 104. For example,one type of forwarder 204 may be capable of consuming vast amounts ofreal-time data from a potentially large number of client devices 102and/or host devices 106. The forwarder 204 may, for example, comprise acomputing device which implements multiple data pipelines or “queues” tohandle forwarding of network data to indexers 206. A forwarder 204 mayalso perform many of the functions that are herein described for anindexer. For example, a forwarder 204 may perform keyword extractions onraw data or parse raw data in to events and perform keyword extractions.A forwarder 204 may generate time stamps for events. Additionally oralternatively, a forwarder 204 may perform routing of events toindexers.

2.5. Data Ingestion

FIG. 3 depicts a flow chart illustrating an example data flow within adata intake and query system 108, in accordance with the disclosedembodiments. The data flow illustrated in FIG. 3 is provided forillustrative purposes only; one or more of the steps of the processesillustrated in FIG. 3 may be removed or the ordering of the steps may bechanged. Furthermore, for the purposes of illustrating a clear example,one or more particular system components is described as performingvarious operations during each of the data flow stages. For example, aforwarder is described as receiving and processing data during an inputphase, an indexer is described as parsing and indexing data duringparsing and indexing phases, and a search head is described asperforming a search query during a search phase. However, it is notedthat other system arrangements and distributions of the processing stepsacross system components may be used.

2.5.1. Input

At block 302, a forwarder receives data from an input source. Aforwarder, for example, initially may receive the data as a raw datastream generated by the input source. For example, a forwarder mayreceive a data stream from a log file generated by an applicationserver, from a stream of network data from a network device, or from anyother source of data. In one embodiment, a forwarder receives the rawdata and may segment the data stream into “blocks” or “buckets,”possibly of a uniform data size, to facilitate subsequent processingsteps.

At block 304, a forwarder or other system component annotates each blockgenerated from the raw data with one or more metadata fields. Thesemetadata fields may, for example, provide information related to thedata block as a whole and may apply to each event that is subsequentlyderived from the data in the data block. For example, the metadatafields may include separate fields specifying each of a host, a source,and a source type related to the data block. A host field, for example,may contain a value identifying a host name or IP address of a devicethat generated the data. A source field may contain a value identifyinga source of the data, such as a pathname of a file or a protocol andport related to received network data. A source type field may contain avalue specifying a particular source type label for the data. Additionalmetadata fields may also be included during the input phase, such as acharacter encoding of the data if known, and possibly other values thatprovide information relevant to later processing steps. In anembodiment, a forwarder forwards the data to another system componentfor further processing, typically forwarding the annotated data blocksto an indexer.

2.5.2. Parsing

At block 306, an indexer receives data blocks from a forwarder andparses the data to organize the data into events. In an embodiment, toorganize the data into events, an indexer may determine a source typeassociated with each data block (e.g., by extracting a source type labelfrom the metadata fields associated with the data block, etc.) and referto a source type configuration corresponding to the identified sourcetype. The source type definition may include one or more properties thatindicate to the indexer what are the boundaries of events within thedata. In general, these properties may include regular expression-basedrules or delimiter rules where, for example, event boundaries may beindicated by predefined characters or character strings. Thesepredefined characters may include punctuation marks or other specialcharacters including, for example, carriage returns, tabs, spaces, linebreaks, etc. If a source type for the data is unknown to the indexer, anindexer may infer a source type for the data by examining the structureof the data and apply an inferred source type definition to the data tocreate the events.

At block 308, the indexer determines a timestamp for each event. Similarto the process for creating events, an indexer may again refer to asource type definition associated with the data to locate one or moreproperties that indicate instructions for determining a timestamp foreach event. The properties may, for example, instruct an indexer toextract a time value from a portion of data in the event, to interpolatetime values based on timestamps associated with temporally proximateevents, to create a timestamp based on a time the event data wasreceived or generated, to use the timestamp of a previous event, orbased on any other rules for determining timestamps.

At block 310, the indexer associates with each event one or moremetadata fields including a field containing the timestamp (in someembodiments, a timestamp may be included in the metadata fields)determined for the event. These metadata fields may include a number of“default fields” that are associated with all events, and may alsoinclude one more custom fields as defined by a user. Similar to themetadata fields associated with the data blocks at block 304, thedefault metadata fields associated with each event may include a host,source, and source type field including or in addition to a fieldstoring the timestamp.

At block 312, an indexer may optionally apply one or moretransformations to data included in the events created at block 306. Forexample, such transformations can include removing a portion of an event(e.g., a portion used to define event boundaries, extraneous charactersfrom the event, other extraneous text, etc.), masking a portion of anevent (e.g., masking a credit card number), removing redundant portionsof an event, etc. The transformations applied to event data may, forexample, be specified in one or more configuration files and referencedby one or more source type definitions.

2.5.3. Indexing

At blocks 314 and 316, an indexer can optionally generate a keywordindex to facilitate fast keyword searching for event data. To build akeyword index, at block 314, the indexer identifies a set of keywords ineach event. At block 316, the indexer includes the identified keywordsin an index, which associates each stored keyword with referencepointers to events containing that keyword (or to locations withinevents where that keyword is located, other location identifiers, etc.).When an indexer subsequently receives a keyword-based query, the indexercan access the keyword index to quickly identify events containing thekeyword.

In some embodiments, the keyword index may include entries forname-value pairs found in events, where a name-value pair can include apair of keywords connected by a symbol, such as an equals sign or colon.In this way, events containing these name-value pairs can be quicklylocated. In some embodiments, fields can automatically be generated forsome or all of the name-value pairs at the time of indexing. Forexample, if the string “dest=10.0.1.2” is found in an event, a fieldnamed “dest” may be created for the event, and assigned a value of“10.0.1.2”.

At block 318, the indexer stores the events in a data store, where atimestamp can be stored with each event to facilitate searching forevents based on a time range. In one embodiment, the stored events areorganized into “buckets,” where each bucket stores events associatedwith a specific time range based on the timestamps associated with eachevent. This may not only improve time-based searching, but also allowsfor events with recent timestamps, which may have a higher likelihood ofbeing accessed, to be stored in faster memory to facilitate fasterretrieval. For example, buckets containing the most recent events can bestored in flash memory instead of on hard disk.

Each indexer 206 may be responsible for storing and searching a subsetof the events contained in a corresponding data store 208. Bydistributing events among the indexers and data stores, the indexers cananalyze events for a query in parallel, for example, using map-reducetechniques, wherein each indexer returns partial responses for a subsetof events to a search head that combines the results to produce ananswer for the query. By storing events in buckets for specific timeranges, an indexer may further optimize searching by looking only inbuckets for time ranges that are relevant to a query.

Moreover, events and buckets can also be replicated across differentindexers and data stores to facilitate high availability and disasterrecovery as is described in U.S. patent application Ser. No. 14/266,812,entitled “SITE-BASED SEARCH AFFINITY”, filed on 30 Apr. 2014, and inU.S. patent application Ser. No. 14/266,817, entitled “MULTI-SITECLUSTERING”, also filed on 30 Apr. 2014, each of which is herebyincorporated by reference in its entirety for all purposes.

2.6. Query Processing

FIG. 4 is a flow diagram that illustrates an example process that asearch head and one or more indexers may perform during a search query.At block 402, a search head receives a search query from a client. Atblock 404, the search head analyzes the search query to determine whatportions can be delegated to indexers and what portions can be executedlocally by the search head. At block 406, the search head distributesthe determined portions of the query to the appropriate indexers. In anembodiment, a search head cluster may take the place of an independentsearch head where each search head in the search head clustercoordinates with peer search heads in the search head cluster toschedule jobs, replicate artifacts, update configurations, fulfillsearch requests, etc. In an embodiment, the search head (or each searchhead) communicates with a master node that provides the search head witha list of indexers to which the search head can distribute thedetermined portions of the query. The master node maintains a list ofactive indexers and can also designate which indexers may haveresponsibility for responding to queries over certain sets of events. Asearch head may communicate with the master node before the search headdistributes queries to indexers in order to discover the addresses ofactive indexers.

At block 408, the indexers to which the query was distributed searchtheir data stores for events that are responsive to the query. Todetermine which events are responsive to the query, the indexer searchesfor events that match the criteria specified in the query. This criteriacan include matching keywords or specific values for certain fields. Insearches that use a late-binding schema, the searching operations atblock 408 may involve using the late-binding schema to extract valuesfor specified fields from events at the time the query is processed. Inan embodiment, one or more rules for extracting field values may bespecified as part of a source type definition. The indexers may theneither send the relevant events back to the search head, or use theevents to calculate a partial result, and send the partial result backto the search head.

At block 410, the search head combines the partial results and/or eventsreceived from the indexers to produce a result for the query. Thisresult may comprise different types of data depending on what the queryrequested. For example, the results can include a listing of matchingevents returned by the query, or some type of visualization of the datafrom the returned events. In another example, the final result caninclude one or more calculated values derived from the matching events.

The results generated by the system 108 can be returned to a clientusing different techniques. For example, one technique streams resultsor relevant events back to a client in real-time as they are identified.Another technique waits to report the results to the client until acomplete set of results (which may include a set of relevant events or aresult based on relevant events) is ready to return to the client. Yetanother technique streams interim results or relevant events back to theclient in real-time until a complete set of results is ready, and thenreturns the complete set of results to the client. In another technique,certain results are stored as “search jobs” and the client may retrievethe results by referring the search jobs.

The search head can also perform various operations to make the searchmore efficient. For example, before the search head begins execution ofa query, the search head can determine a time range for the query and aset of common keywords that all matching events include. The search headmay then use these parameters to query the indexers to obtain a supersetof the eventual results. Then, during a filtering stage, the search headcan perform field-extraction operations on the superset to produce areduced set of search results. This speeds up queries that are performedon a periodic basis.

2.7. Field Extraction

The search head 210 allows users to search and visualize event dataextracted from raw machine data received from homogenous data sources,it also allows users to search and visualize event data extracted fromraw machine data received from heterogeneous data sources. The searchhead 210 includes various mechanisms for processing a query which mayadditionally reside in an indexer 206. A search query may expressed inSearch Processing Language (SPL), which is used in conjunction with theSPLUNK® ENTERPRISE system. SPL is a pipelined search language in which aset of inputs is operated on by a first command in a command line, andthen a subsequent command following the pipe symbol “I” operates on theresults produced by the first command, and so on for additionalcommands. A search query can also be expressed in other query languages,such as the Structured Query Language (“SQL”) or any other querylanguage.

In response to receiving the search query, search head 210 determinesthat it can use extraction rules to extract values for the fieldsassociated with a field or fields in the event data being searched. Thesearch head 210 obtains extraction rules that specify how to extract avalue for certain fields from an event. Extraction rules can compriseregex rules that specify how to extract values for the relevant fields.In addition to specifying how to extract field values, the extractionrules may also include instructions for deriving a field value byperforming a function on a character string or value retrieved by theextraction rule. For example, a transformation rule may truncate acharacter string, or convert the character string into a different dataformat. In some cases, the query itself can specify one or moreextraction rules.

The search head 210 can apply the extraction rules to event data that itreceives from indexers 206. Indexers 206 may apply the extraction rulesto events in an associated data store 208. Extraction rules can beapplied to all the events in a data store, or to a subset of the eventsthat have been filtered based on some criteria (e.g., event time stampvalues, etc.). Extraction rules can be used to extract one or morevalues for a field from events by parsing the event data and examiningthe event data for one or more patterns of characters, numbers,delimiters, etc., that indicate where the field begins and, optionally,ends.

FIG. 5 illustrates an example of raw machine data received fromdisparate data sources. In this example, a user submits an order formerchandise using a vendor's shopping application program 501 running onthe user's system. The order fails to be delivered to the vendor'sserver due to a resource exception at the destination server which isdetected by the middleware code 502. The user then sends a message tocustomer support 503 to complain about the order failing to complete.The three systems 501, 502, and 503 are disparate systems that do nothave a common logging format. The order application 501 sends log data504 to the SPLUNK® ENTERPRISE system in one format, the middleware code502 sends error log data 505 in a second format, and the support server503 sends log data 506 in a third format.

Using the log data received at one or more indexers 206 from the threesystems, the vendor, goodstuff.com, has the unique ability to obtain aninsight into user activity, user experience, and system behavior. Thesearch head 210 allows the vendor's administrator to search the log datafrom the three systems that are stored at the one or more indexers 206to obtain correlated information and also a visualization of relatedevents via a user interface. The administrator can query the search head210 for customer ID field value matches across the log data from thethree systems that are stored at the one or more indexers 206. Thecustomer ID field value exists in the data gathered from the threesystems, but the customer ID field value may be located in differentareas of the data given differences in the architecture of thesystems—there is a semantic relationship between the customer ID fieldvalues generated by the three systems. The search head 210 requestsevent data from the one or more indexers 206 in order to gather relevantevent data from the three systems. It then applies extraction rules tothe event data in order to extract field values that it can correlate.The search head may apply a different extraction rule to each set ofevents from each system when the event data format differs between eachsystem. In this example, the user interface can display, to theadministrator, the event data corresponding to the common customer IDfield values 507, 508, and 509. Thus, providing the administrator withan insight into a customer's experience.

Note that query results can be returned to a client, a search head, orany other system component for further processing. In general, queryresults may include a set of one or more events, a set of one or morevalues obtained from the events, a subset of the values, statisticscalculated based on the values, a report containing the values, or avisualization, such as a graph or chart, generated from the values.

2.8. Example Search Screen

FIG. 6A illustrates an example search screen 600 in accordance with thedisclosed embodiments. Search screen 600 includes a search bar 602 thataccepts user input in the form of a search string. It also includes atime range picker 612 that enables the user to specify a time range forthe search. For “historical searches” the user can select a specifictime range, or alternatively a relative time range, such as “today,”“yesterday” or “last week.” For “real-time searches,” the user canselect the size of a preceding time window to search for real-timeevents. Search screen 600 also initially displays a “data summary”dialog as is illustrated in FIG. 6B that enables the user to selectdifferent sources for the event data, for example by selecting specifichosts and log files.

After the search is executed, the search screen 600 can display theresults through search results tabs 604, wherein search results tabs 604includes: an “events tab” that displays various information about eventsreturned by the search; a “statistics tab” that displays statisticsabout the search results; and a “visualization tab” that displaysvarious visualizations of the search results. The events tab illustratedin FIG. 6A displays a timeline graph 605 that graphically illustratesthe number of events that occurred in one-hour intervals over theselected time range. It also displays an events list 608 that enables auser to view the raw data in each of the returned events. Itadditionally displays a fields sidebar 606 that includes statisticsabout occurrences of specific fields in the returned events, including“selected fields” that are pre-selected by the user, and “interestingfields” that are automatically selected by the system based onpre-specified criteria.

2.9. Data Modelling

In an embodiment, the data intake and query system provides the userwith the ability to produce reports (e.g., a table, chart,visualization, etc.) without having to enter SPL, SQL, or other querylanguage terms into a search screen. Data modelling is used as the basisfor the search feature. A data model may include one or more “objects”(or “data model objects”) that define or otherwise correspond to aspecific set of data. For example, a first data model object may definea broad set of data pertaining to e-mail activity generally, and anotherdata model object may define specific datasets within the broad dataset,such as a subset of the e-mail data pertaining specifically to e-mailssent. Examples of data models can include, but are not limited to,electronic mail, authentication, databases, intrusion detection,malware, application state, alerts, compute inventory, network sessions,network traffic, performance, audits, updates, vulnerabilities, etc.Data models and their objects can be designed, for example, by knowledgemanagers in an organization, and they can enable downstream users toquickly focus on a specific set of data. For example, a user can simplyselect an “e-mail activity” data model object to access a datasetrelating to e-mails generally (e.g., sent or received), or select an“e-mails sent” data model object (or data sub-model object) to access adataset relating to e-mails sent.

A data model object may be defined by (1) a set of search constraints,and (2) a set of fields. Thus, a data model object can be used toquickly search data to identify a set of events and to identify a set offields to be associated with the set of events. For example, an “e-mailssent” data model object may specify a search for events relating toe-mails that have been sent, and specify a set of fields that areassociated with the events. Thus, a user can retrieve and use the“e-mails sent” data model object to quickly search source data forevents relating to sent e-mails, and may be provided with a listing ofthe set of fields relevant to the events in a user interface screen.

A data model may be defined by search criteria (e.g., a set of searchconstraints, late-binding schema extraction rules, etc.) and anassociated set of fields. A data sub-model (e.g., a child of the parentdata model) may be defined by a search (typically a narrower search)that produces a subset of the events that would be produced by theparent data model's search, and the sub-model's set of fields caninclude a subset of the set of fields of the parent data model and/oradditional fields. Data model objects that reference the subsets can bearranged in a hierarchical manner, so that child subsets of events areproper subsets of their parents. A user iteratively applies a modeldevelopment tool to prepare a query that defines a subset of events andassigns an object name to that subset. A child subset is created byfurther limiting a query that generates a parent subset. A late-bindingschema of field extraction rules is associated with each object orsubset in the data model. Data definitions in associated schemas can betaken from the common information model (CIM) or can be devised for aparticular schema and optionally added to the CIM. Child objects inheritfields from parents and can include fields not present in parents. Amodel developer can select fewer extraction rules than are available forthe sources returned by the query that defines events belonging to amodel. Selecting a limited set of extraction rules can be a tool forsimplifying and focusing the data model, while allowing a userflexibility to explore the data subset. Development of a data model isfurther explained in U.S. Pat. No. 8,788,525, entitled “DATA MODEL FORMACHINE DATA FOR SEMANTIC SEARCH”, issued on Jul. 22, 2014, U.S. Pat.No. 8,788,526, entitled “DATA MODEL FOR MACHINE DATA FOR SEMANTICSEARCH”, issued on Jul. 22, 2014, and U.S. patent application Ser. No.14/067,203, entitled “GENERATION OF A DATA MODEL FOR SEARCHING MACHINEDATA”, filed on 30 Oct. 2013, each of which is hereby incorporated byreference in its entirety for all purposes. See, also, Knowledge ManagerManual, Build a Data Model, Splunk Enterprise 6.1.3 pp. 150-204 (Aug.25, 2014).

A data model can also include reports. One or more report formats can beassociated with a particular data model and be made available to runagainst the data model. A user can use child objects to design reportswith object datasets that already have extraneous data pre-filtered out.

Data models may be selected in a report generation interface. The reportgenerator supports drag-and-drop organization of fields to be summarizedin a report. When a model is selected, the fields with availableextraction rules are made available for use in the report. A userselects some fields for organizing the report and others for providingdetail according to the report organization. For example, region andsalesperson fields may be organizing fields and sales data can besummarized (subtotaled and totaled) within this organization. Buildingreports using the report generation interface is further explained inU.S. patent application Ser. No. 14/503,335, entitled “GENERATINGREPORTS FROM UNSTRUCTURED DATA”, filed on Sep. 30, 2014, and which ishereby incorporated by reference in its entirety for all purposes, andin Pivot Manual, Splunk Enterprise 6.1.3 (Aug. 4, 2014). Datavisualizations also can be generated in a variety of formats, byreference to the data model. Reports, data visualizations, and datamodel objects can be saved and associated with the data model for futureuse. The data model object may be used to perform searches of otherdata.

FIGS. 7A-7D illustrate a series of user interface screens where a usermay select report generation options using data models. The reportgeneration process may be driven by a predefined data model object, suchas a data model object defined and/or saved via a reporting applicationor a data model object obtained from another source. A user can load asaved data model object using a report editor. For example, the initialsearch query and fields used to drive the report editor may be obtainedfrom a data model object. The data model object that is used to drive areport generation process may define a search and a set of fields. Uponloading of the data model object, the report generation process mayenable a user to use the fields (e.g., the fields defined by the datamodel object) to define criteria for a report (e.g., filters, splitrows/columns, aggregates, etc.) and the search may be used to identifyevents (e.g., to identify events responsive to the search) used togenerate the report. That is, for example, if a data model object isselected to drive a report editor, the graphical user interface of thereport editor may enable a user to define reporting criteria for thereport using the fields associated with the selected data model object,and the events used to generate the report may be constrained to theevents that match, or otherwise satisfy, the search constraints of theselected data model object.

The selection of a data model object for use in driving a reportgeneration may be facilitated by a data model object selectioninterface. For example, an interactive data model selection graphicaluser interface of a report editor may display a listing of availabledata models, enabling a user to select one of the data models, displaythe data model objects associated with the data model selected, andenable a user to select one of the displayed data model objects for usein driving the report generation process.

In FIG. 7A, once a data model object is selected by the user, a userinterface screen 700 may display an interactive listing of automaticfield identification options 701 based on the selected data modelobject. For example, a user may select one of the three illustratedoptions (e.g., the “All Fields” option 702, the “Selected Fields” option703, or the “Coverage” option (e.g., fields with at least a specified %of coverage) 704). If the user selects the “All Fields” option 702, allof the fields identified from the events that were returned in responseto an initial search query may be selected. That is, for example, all ofthe fields of the identified data model object fields may be selected.If the user selects the “Selected Fields” option 703, only the fieldsfrom the fields of the identified data model object fields that areselected by the user may be used. If the user selects the “Coverage”option 704, only the fields of the identified data model object fieldsmeeting a specified coverage criteria may be selected. A percentcoverage may refer to the percentage of events returned by the initialsearch query that a given field appears in. Thus, for example, if anobject dataset includes 10,000 events returned in response to an initialsearch query, and the “avg_age” field appears in 854 of those 10,000events, then the “avg_age” field would have a coverage of 8.54% for thatobject dataset. If, for example, the user selects the “Coverage” optionand specifies a coverage value of 2%, only fields having a coveragevalue equal to or greater than 2% may be selected. The number of fieldscorresponding to each selectable option may be displayed in associationwith each option. For example, “97” displayed next to the “All Fields”option 702 indicates that 97 fields will be selected if the “All Fields”option is selected. The “3” displayed next to the “Selected Fields”option 703 indicates that 3 of the 97 fields will be selected if the“Selected Fields” option is selected. The “49” displayed next to the“Coverage” option 704 indicates that 49 of the 97 fields (e.g., the 49fields having a coverage of 2% or greater) will be selected if the“Coverage” option is selected. The number of fields corresponding to the“Coverage” option may be dynamically updated based on the specifiedpercent of coverage.

FIG. 7B illustrates a graphical user interface screen 705 displaying thereporting application's “Report Editor” page. The screen may displayinteractive elements for defining various elements of a report. Forexample, the page includes a “Filters” element 706, a “Split Rows”element 707, a “Split Columns” element 708, and a “Column Values”element 709. The page may include a list of search results 711. In thisexample, the Split Rows element 707 is expanded, revealing a listing offields 710 that can be used to define additional criteria (e.g.,reporting criteria). The listing of fields 710 may correspond to theselected fields (attributes). That is, the listing of fields 710 maylist only the fields previously selected, either automatically and/ormanually by a user. FIG. 7C illustrates a formatting dialogue 712 thatmay be displayed upon selecting a field from the listing of fields 710.The dialogue can be used to format the display of the results of theselection (e.g., label the column to be displayed as “component”).

FIG. 7D illustrates an example graphical user interface screen 705including a table of results 713 based on the selected criteriaincluding splitting the rows by the “component” field.

2.10. Acceleration Technique

The above-described system provides significant flexibility by enablinga user to analyze massive quantities of minimally processed performancedata “on the fly” at search time instead of storing pre-specifiedportions of the performance data in a database at ingestion time. Thisflexibility enables a user to see correlations in the performance dataand perform subsequent queries to examine interesting aspects of theperformance data that may not have been apparent at ingestion time.

However, performing extraction and analysis operations at search timecan involve a large amount of data and require a large number ofcomputational operations, which can cause delays while processing thequeries. Fortunately, a number of acceleration techniques have beendeveloped to speed up analysis operations performed at search time.These techniques include: (1) performing search operations in parallelacross multiple indexers; (2) using a keyword index; (3) using a highperformance analytics store; and (4) accelerating the process ofgenerating reports. These techniques are described in more detail below.

2.10.1. Aggregation Technique

To facilitate faster query processing, a query can be structured suchthat multiple indexers perform the query in parallel, while aggregationof search results from the multiple indexers is performed locally at thesearch head. For example, FIG. 8 illustrates how a search query 802received from a client at a search head 210 can split into two phases,including: (1) subtasks 804 (e.g., data retrieval or simple filtering)that may be performed in parallel by indexers 206 for execution, and (2)a search results aggregation operation 806 to be executed by the searchhead when the results are ultimately collected from the indexers.

During operation, upon receiving search query 802, a search head 210determines that a portion of the operations involved with the searchquery may be performed locally by the search head. The search headmodifies search query 802 by substituting “stats” (create aggregatestatistics over results sets received from the indexers at the searchhead) with “prestats” (create statistics by the indexer from localresults set) to produce search query 804, and then distributes searchquery 804 to distributed indexers, which are also referred to as “searchpeers.” Note that search queries may generally specify search criteriaor operations to be performed on events that meet the search criteria.Search queries may also specify field names, as well as search criteriafor the values in the fields or operations to be performed on the valuesin the fields. Moreover, the search head may distribute the full searchquery to the search peers as is illustrated in FIG. 4, or mayalternatively distribute a modified version (e.g., a more restrictedversion) of the search query to the search peers. In this example, theindexers are responsible for producing the results and sending them tothe search head. After the indexers return the results to the searchhead, the search head aggregates the received results 806 to form asingle search result set. Note that by executing the computation in thisway, the system effectively distributes the computational operationsacross the indexers while minimizing data transfers.

2.10.2. Keyword Index

As described above with reference to the flow charts in FIG. 3 and FIG.4, data intake and query system 108 can construct and maintain one ormore keyword indices to facilitate rapidly identifying events containingspecific keywords. This can greatly speed up the processing of queriesinvolving specific keywords. As mentioned above, to build a keywordindex, an indexer first identifies a set of keywords. Then, the indexerincludes the identified keywords in an index, which associates eachstored keyword with references to events containing that keyword, or tolocations within events where that keyword is located. When an indexersubsequently receives a keyword-based query, the indexer can access thekeyword index to quickly identify events containing the keyword.

2.10.3. High Performance Analytics Store

To speed up certain types of queries, some embodiments of system 108make use of a high performance analytics store, which is referred to asa “summarization table,” that contains entries for specific field-valuepairs. Each of these entries keeps track of instances of a specificvalue in a specific field in the event data and includes references toevents containing the specific value in the specific field. For example,an example entry in a summarization table can keep track of occurrencesof the value “94107” in a “ZIP code” field of a set of events, whereinthe entry includes references to all of the events that contain thevalue “94107” in the ZIP code field. This enables the system to quicklyprocess queries that seek to determine how many events have a particularvalue for a particular field, because the system can examine the entryin the summarization table to count instances of the specific value inthe field without having to go through the individual events or doextractions at search time. Also, if the system needs to process allevents that have a specific field-value combination, the system can usethe references in the summarization table entry to directly access theevents to extract further information without having to search all ofthe events to find the specific field-value combination at search time.

In some embodiments, the system maintains a separate summarization tablefor each of the above-described time-specific buckets that stores eventsfor a specific time range, wherein a bucket-specific summarization tableincludes entries for specific field-value combinations that occur inevents in the specific bucket. Alternatively, the system can maintain aseparate summarization table for each indexer, wherein theindexer-specific summarization table only includes entries for theevents in a data store that is managed by the specific indexer.Indexer-specific summarization tables may also be bucket-specific.

The summarization table can be populated by running a periodic querythat scans a set of events to find instances of a specific field-valuecombination, or alternatively instances of all field-value combinationsfor a specific field. A periodic query can be initiated by a user or canbe scheduled to occur automatically at specific time intervals. Aperiodic query can also be automatically launched in response to a querythat asks for a specific field-value combination.

In some cases, the summarization tables may not cover all of the eventsthat are relevant to a query. In this case, the system can use thesummarization tables to obtain partial results for the events that arecovered by summarization tables, but may also have to search throughother events that are not covered by the summarization tables to produceadditional results. These additional results can then be combined withthe partial results to produce a final set of results for the query.This summarization table and associated techniques are described in moredetail in U.S. Pat. No. 8,682,925, entitled “DISTRIBUTED HIGHPERFORMANCE ANALYTICS STORE”, issued on Mar. 25, 2014, and which ishereby incorporated by reference in its entirety for all purposes.

2.10.4. Accelerating Report Generation

In some embodiments, a data server system such as the SPLUNK® ENTERPRISEsystem can accelerate the process of periodically generating updatedreports based on query results. To accelerate this process, asummarization engine automatically examines the query to determinewhether generation of updated reports can be accelerated by creatingintermediate summaries. (This is possible if results from preceding timeperiods can be computed separately and combined to generate an updatedreport. In some cases, it is not possible to combine such incrementalresults, for example where a value in the report depends onrelationships between events from different time periods.) If reportscan be accelerated, the summarization engine periodically generates asummary covering data obtained during a latest non-overlapping timeperiod. For example, where the query seeks events meeting a specifiedcriteria, a summary for the time period includes only events within thetime period that meet the specified criteria. Similarly, if the queryseeks statistics calculated from the events, such as the number ofevents that match the specified criteria, then the summary for the timeperiod includes the number of events in the period that match thespecified criteria.

In parallel with the creation of the summaries, the summarization engineschedules the periodic updating of the report associated with the query.During each scheduled report update, the query engine determines whetherintermediate summaries have been generated covering portions of the timeperiod covered by the report update. If so, then the report is generatedbased on the information contained in the summaries. Also, if additionalevent data has been received and has not yet been summarized, and isrequired to generate the complete report, the query can be run on thisadditional event data. Then, the results returned by this query on theadditional event data, along with the partial results obtained from theintermediate summaries, can be combined to generate the updated report.This process is repeated each time the report is updated. Alternatively,if the system stores events in buckets covering specific time ranges,then the summaries can be generated on a bucket-by-bucket basis. Notethat producing intermediate summaries can save the work involved inre-running the query for previous time periods, so only the newer eventdata needs to be processed while generating an updated report. Thesereport acceleration techniques are described in more detail in U.S. Pat.No. 8,589,403, entitled “COMPRESSED JOURNALING IN EVENT TRACKING FILESFOR METADATA RECOVERY AND REPLICATION”, issued on 19 Nov. 2013, and U.S.Pat. No. 8,412,696, entitled “REAL TIME SEARCHING AND REPORTING”, issuedon 2 Apr. 2011, each of which is hereby incorporated by reference in itsentirety for all purposes.

2.11. Security Features

The SPLUNK® ENTERPRISE platform provides various schemas, dashboards andvisualizations that make it easy for developers to create applicationsto provide additional capabilities. One such application is the SPLUNKAPP FOR ENTERPRISE SECURITY, which performs monitoring and alertingoperations and includes analytics to facilitate identifying both knownand unknown security threats based on large volumes of data stored bythe SPLUNK® ENTERPRISE system. This differs significantly fromconventional Security Information and Event Management (SIEM) systemsthat lack the infrastructure to effectively store and analyze largevolumes of security-related event data. Traditional SIEM systemstypically use fixed schemas to extract data from pre-definedsecurity-related fields at data ingestion time, wherein the extracteddata is typically stored in a relational database. This data extractionprocess (and associated reduction in data size) that occurs at dataingestion time inevitably hampers future incident investigations, whenall of the original data may be needed to determine the root cause of asecurity issue, or to detect the tiny fingerprints of an impendingsecurity threat.

In contrast, the SPLUNK® APP FOR ENTERPRISE SECURITY system stores largevolumes of minimally processed security-related data at ingestion timefor later retrieval and analysis at search time when a live securitythreat is being investigated. To facilitate this data retrieval process,the SPLUNK® APP FOR ENTERPRISE SECURITY provides pre-specified schemasfor extracting relevant values from the different types ofsecurity-related event data, and also enables a user to define suchschemas.

The SPLUNK® APP FOR ENTERPRISE SECURITY can process many types ofsecurity-related information. In general, this security-relatedinformation can include any information that can be used to identifysecurity threats. For example, the security-related information caninclude network-related information, such as IP addresses, domain names,asset identifiers, network traffic volume, uniform resource locatorstrings, and source addresses. (The process of detecting securitythreats for network-related information is further described in U.S.patent application Ser. No. 13/956,252, and Ser. No. 13/956,262.)Security-related information can also include endpoint information, suchas malware infection data and system configuration information, as wellas access control information, such as login/logout information andaccess failure notifications. The security-related information canoriginate from various sources within a data center, such as hosts,virtual machines, storage devices and sensors. The security-relatedinformation can also originate from various sources in a network, suchas routers, switches, email servers, proxy servers, gateways, firewallsand intrusion-detection systems.

During operation, the SPLUNK® APP FOR ENTERPRISE SECURITY facilitatesdetecting so-called “notable events” that are likely to indicate asecurity threat. These notable events can be detected in a number ofways: (1) an analyst can notice a correlation in the data and canmanually identify a corresponding group of one or more events as“notable;” or (2) an analyst can define a “correlation search”specifying criteria for a notable event, and every time one or moreevents satisfy the criteria, the application can indicate that the oneor more events are notable. An analyst can alternatively select apre-defined correlation search provided by the application. Note thatcorrelation searches can be run continuously or at regular intervals(e.g., every hour) to search for notable events. Upon detection, notableevents can be stored in a dedicated “notable events index,” which can besubsequently accessed to generate various visualizations containingsecurity-related information. Also, alerts can be generated to notifysystem operators when important notable events are discovered.

The SPLUNK® APP FOR ENTERPRISE SECURITY provides various visualizationsto aid in discovering security threats, such as a “key indicators view”that enables a user to view security metrics of interest, such as countsof different types of notable events. For example, FIG. 9A illustratesan example key indicators view 900 that comprises a dashboard, which candisplay a value 901, for various security-related metrics, such asmalware infections 902. It can also display a change in a metric value903, which indicates that the number of malware infections increased by63 during the preceding interval. Key indicators view 900 additionallydisplays a histogram panel 904 that displays a histogram of notableevents organized by urgency values, and a histogram of notable eventsorganized by time intervals. This key indicators view is described infurther detail in pending U.S. patent application Ser. No. 13/956,338,entitled “KEY INDICATORS VIEW”, filed Jul. 31, 2013, and which is herebyincorporated by reference in its entirety for all purposes.

These visualizations can also include an “incident review dashboard”that enables a user to view and act on “notable events.” These notableevents can include: (1) a single event of high importance, such as anyactivity from a known web attacker; or (2) multiple events thatcollectively warrant review, such as a large number of authenticationfailures on a host followed by a successful authentication. For example,FIG. 9B illustrates an example incident review dashboard 910 thatincludes a set of incident attribute fields 911 that, for example,enables a user to specify a time range field 912 for the displayedevents. It also includes a timeline 913 that graphically illustrates thenumber of incidents that occurred in one-hour time intervals over theselected time range. It additionally displays an events list 914 thatenables a user to view a list of all of the notable events that matchthe criteria in the incident attributes fields 911. To facilitateidentifying patterns among the notable events, each notable event can beassociated with an urgency value (e.g., low, medium, high, critical),which is indicated in the incident review dashboard. The urgency valuefor a detected event can be determined based on the severity of theevent and the priority of the system component associated with theevent.

2.12. Data Center Monitoring

As mentioned above, the SPLUNK® ENTERPRISE platform provides variousfeatures that make it easy for developers to create variousapplications. One such application is the SPLUNK® APP FOR VMWARE®, whichperforms monitoring operations and includes analytics to facilitatediagnosing the root cause of performance problems in a data center basedon large volumes of data stored by the SPLUNK® ENTERPRISE system.

This differs from conventional data-center-monitoring systems that lackthe infrastructure to effectively store and analyze large volumes ofperformance information and log data obtained from the data center. Inconventional data-center-monitoring systems, this performance data istypically pre-processed prior to being stored, for example by extractingpre-specified data items from the performance data and storing them in adatabase to facilitate subsequent retrieval and analysis at search time.However, the rest of the performance data is not saved and isessentially discarded during pre-processing. In contrast, the SPLUNK®APP FOR VMWARE® stores large volumes of minimally processed performanceinformation and log data at ingestion time for later retrieval andanalysis at search time when a live performance issue is beinginvestigated.

The SPLUNK® APP FOR VMWARE® can process many types ofperformance-related information. In general, this performance-relatedinformation can include any type of performance-related data and logdata produced by virtual machines and host computer systems in a datacenter. In addition to data obtained from various log files, thisperformance-related information can include values for performancemetrics obtained through an application programming interface (API)provided as part of the vSphere Hypervisor™ system distributed byVMware, Inc. of Palo Alto, Calif. For example, these performance metricscan include: (1) CPU-related performance metrics; (2) disk-relatedperformance metrics; (3) memory-related performance metrics; (4)network-related performance metrics; (5) energy-usage statistics; (6)data-traffic-related performance metrics; (7) overall systemavailability performance metrics; (8) cluster-related performancemetrics; and (9) virtual machine performance statistics. Suchperformance metrics are described in U.S. patent application Ser. No.14/167,316, entitled “CORRELATION FOR USER-SELECTED TIME RANGES OFVALUES FOR PERFORMANCE METRICS OF COMPONENTS IN ANINFORMATION-TECHNOLOGY ENVIRONMENT WITH LOG DATA FROM THATINFORMATION-TECHNOLOGY ENVIRONMENT”, filed 29 Jan. 2014, and which ishereby incorporated by reference in its entirety for all purposes.

To facilitate retrieving information of interest from performance dataand log files, the SPLUNK® APP FOR VMWARE® provides pre-specifiedschemas for extracting relevant values from different types ofperformance-related event data, and also enables a user to define suchschemas.

The SPLUNK® APP FOR VMWARE® additionally provides various visualizationsto facilitate detecting and diagnosing the root cause of performanceproblems. For example, one such visualization is a “proactive monitoringtree” that enables a user to easily view and understand relationshipsamong various factors that affect the performance of a hierarchicallystructured computing system. This proactive monitoring tree enables auser to easily navigate the hierarchy by selectively expanding nodesrepresenting various entities (e.g., virtual centers or computingclusters) to view performance information for lower-level nodesassociated with lower-level entities (e.g., virtual machines or hostsystems). Example node-expansion operations are illustrated in FIG. 9C,wherein nodes 933 and 934 are selectively expanded. Note that nodes931-939 can be displayed using different patterns or colors to representdifferent performance states, such as a critical state, a warning state,a normal state or an unknown/offline state. The ease of navigationprovided by selective expansion in combination with the associatedperformance-state information enables a user to quickly diagnose theroot cause of a performance problem. The proactive monitoring tree isdescribed in further detail in U.S. patent application Ser. No.14/235,490, entitled “TRANSMISSION APPARATUS AND METHOD, AND RECEPTIONAPPARATUS AND METHOD FOR PROVIDING 3D SERVICE USING THE CONTENT ANDADDITIONAL IMAGE SEPARATELY TRANSMITTED WITH THE REFERENCE IMAGETRANSMITTED IN REAL TIME”, filed on 15 Apr. 2014, and which is herebyincorporated by reference in its entirety for all purposes.

The SPLUNK® APP FOR VMWARE® also provides a user interface that enablesa user to select a specific time range and then view heterogeneous data,comprising events, log data and associated performance metrics, for theselected time range. For example, the screen illustrated in FIG. 9Ddisplays a listing of recent “tasks and events” and a listing of recent“log entries” for a selected time range above a performance-metric graphfor “average CPU core utilization” for the selected time range. Notethat a user is able to operate pull-down menus 942 to selectivelydisplay different performance metric graphs for the selected time range.This enables the user to correlate trends in the performance-metricgraph with corresponding event and log data to quickly determine theroot cause of a performance problem. This user interface is described inmore detail in U.S. patent application Ser. No. 14/167,316, entitled“CORRELATION FOR USER-SELECTED TIME RANGES OF VALUES FOR PERFORMANCEMETRICS OF COMPONENTS IN AN INFORMATION-TECHNOLOGY ENVIRONMENT WITH LOGDATA FROM THAT INFORMATION-TECHNOLOGY ENVIRONMENT”, filed on 29 Jan.2014, and which is hereby incorporated by reference in its entirety forall purposes.

2.13. Cloud-Based System Overview

The example data intake and query system 108 described in reference toFIG. 2 comprises several system components, including one or moreforwarders, indexers, and search heads. In some environments, a user ofa data intake and query system 108 may install and configure, oncomputing devices owned and operated by the user, one or more softwareapplications that implement some or all of these system components. Forexample, a user may install a software application on server computersowned by the user and configure each server to operate as one or more ofa forwarder, an indexer, a search head, etc. This arrangement generallymay be referred to as an “on-premises” solution, meaning the system 108is installed and operates on computing devices directly controlled bythe user of the system. Some users may prefer an on-premises solutionsince it may provide a greater level of control over the configurationof certain aspects of the system (e.g., security, privacy, standards,controls, etc.). However, other users may instead prefer an arrangementin which the user is not directly responsible for providing and managingthe computing devices upon which various components of system 108operate.

In one embodiment, to provide an alternative to an entirely on-premisesenvironment for system 108, one or more of the components of a dataintake and query system instead may be provided as a cloud-basedservice. In this context, a cloud-based service refers to a servicehosted by one more computing resources that are accessible to end usersover a network, for example, by using a web browser or other applicationon a client device to interface with the remote computing resources. Forexample, a service provider may provide a cloud-based data intake andquery system by managing computing resources configured to implementvarious aspects of the system (e.g., forwarders, indexers, search heads,etc.) and providing access to the system to end users via a network.Typically, a user may pay a subscription or other fee to use such aservice, and each subscribing user to the cloud-based service may beprovided with an account that enables the user to configure a customizedcloud-based system based on the user's preferences.

FIG. 10 illustrates a block diagram of an example cloud-based dataintake and query system. Similar to the system of FIG. 2, the networkedcomputer system 1000 includes input data sources 202 and forwarders 204.In the example system 1000, one or more forwarders 204 and clientdevices 1002 are coupled to a cloud-based data intake and query system1006 via one or more networks 1004. Network 1004 broadly represents oneor more LANs, WANs, cellular networks, intranetworks, internetworks,etc., using any of wired, wireless, terrestrial microwave, satellitelinks, etc., and may include the public Internet, and is used by clientdevices 1002 and forwarders 204 to access the system 1006. Similar tothe system of 108, each of the forwarders 204 may be configured toreceive data from an input source and to forward the data to othercomponents of the system 1006 for further processing.

In an embodiment, a cloud-based data intake and query system 1006 maycomprise a plurality of system instances 1008. In general, each systeminstance 1008 may include one or more computing resources managed by aprovider of the cloud-based system 1006 made available to a particularsubscriber. The computing resources comprising a system instance 1008may, for example, include one or more servers or other devicesconfigured to implement one or more forwarders, indexers, search heads,and other components of a data intake and query system, similar tosystem 108. As indicated above, a subscriber may use a web browser orother application of a client device 1002 to access a web portal orother interface that enables the subscriber to configure an instance1008.

Providing a data intake and query system as described in reference tosystem 108 as a cloud-based service presents a number of challenges.Each of the components of a system 108 (e.g., forwarders, indexers andsearch heads) may at times refer to various configuration files storedlocally at each component. These configuration files typically mayinvolve some level of user configuration to accommodate particular typesof data a user desires to analyze and to account for other userpreferences. However, in a cloud-based service context, users typicallymay not have direct access to the underlying computing resourcesimplementing the various system components (e.g., the computingresources comprising each system instance 1008) and may desire to makesuch configurations indirectly, for example, using one or more web-basedinterfaces. Thus, the techniques and systems described herein forproviding user interfaces that enable a user to configure source typedefinitions are applicable to both on-premises and cloud-based servicecontexts, or some combination thereof (e.g., a hybrid system where bothan on-premises environment such as SPLUNK® ENTERPRISE and a cloud-basedenvironment such as SPLUNK CLOUD™ are centrally visible).

2.14. Searching Externally Archived Data

FIG. 11 shows a block diagram of an example of a data intake and querysystem 108 that provides transparent search facilities for data systemsthat are external to the data intake and query system. Such facilitiesare available in the HUNK® system produced by Splunk Inc. of SanFrancisco, Calif. The search head 210 of the data intake and querysystem receives search requests from one or more client devices 1104over network connections. As discussed above, the data intake and querysystem 108 may reside in an enterprise location, in the cloud, etc. FIG.11 illustrates that multiple client devices 1104 a, 1104 b, . . . , 1104n may communicate with the data intake and query system 108. The clientdevices 104 may communicate with the data intake and query system usinga variety of connections. For example, one client device in FIG. 11 isillustrated as communicating over an Internet (Web) protocol, anotherclient device is illustrated as communicating via a command lineinterface, and another client device is illustrated as communicating viaa system developer kit (SDK).

The search head 210 analyzes the received search request to identifyrequest parameters. If a search request received from one of the clientdevices 1104 references an index maintained by the data intake and querysystem, then the search head 210 connects to one or more indexers 206 ofthe data intake and query system for the index referenced in the requestparameters. That is, if the request parameters of the search requestreference an index, then the search head accesses the data in the indexvia the indexer. The data intake and query system 108 may include one ormore indexers 206, depending on system access resources andrequirements. As described further below, the indexers 206 retrieve datafrom their respective local data stores 208 as specified in the searchrequest. The indexers and their respective data stores that can compriseone or more storage devices and typically reside on the same system,though they may be connected via a local network connection.

If the request parameters of the received search request reference anexternal data collection, which is not accessible to the indexers 206 orunder the management of the data intake and query system, then thesearch head 210 can access the external data collection through anExternal Result Provider (ERP) process 1110. An external data collectionmay be referred to as a “virtual index” (plural, “virtual indices”). AnERP process provides an interface through which the search head 210 mayaccess virtual indices.

Thus, a search reference to an index of the system is understood torelate to a locally stored and managed data collection, but a searchreference to a virtual index is understand to relate to an externallystored and managed data collection, which the search head may accessthrough one or more ERP processes 1110, 1112. FIG. 11 shows two ERPprocesses 1110, 1112 that connect to respective remote (external)virtual indices, which are indicated as a Hadoop or other system 1114(e.g., Amazon S3, Amazon EMR, other Hadoop Compatible File Systems(HCFS), etc.) and a relational database management system (RDBMS) 1116.Other virtual indices may include other file organizations andprotocols, such as Structured Query Language (SQL) and the like. Theellipses between the ERP processes 1110, 1112 indicate optionaladditional ERP processes of the data intake and query system 108. An ERPprocess may be a computer process that is initiated or spawned by thesearch head 210 and is executed by the search data intake and querysystem 108. Alternatively or additionally, an ERP process may be aprocess spawned by the search head 210 on the same or different hostsystem as the search head 210 resides.

The search head 210 may spawn a single ERP process in response tomultiple virtual indexes referenced in a search request, or the searchhead may spawn different ERP processes for different virtual indices.Generally, virtual indices that share common data configurations orprotocols may share ERP processes. For example, all search queryreferences to a Hadoop file system may be processed by the same ERPprocess, if the ERP process is suitably configured. Likewise, all searchquery references to a SQL database may be processed by the same ERPprocess. In addition, the search head may provide a common ERP processfor common external data source types (e.g., a common vendor may utilizea common ERP process, even if the vendor includes different data storagesystem types, such as Hadoop and SQL). Common indexing schemes also maybe handled by common ERP processes, such as flat text files or Weblogfiles.

The search head 210 determines the number of ERP processes to beinitiated via the use of configuration parameters that are included in asearch request message. Generally, there is a one-to-many relationshipbetween an external results provider “family” and ERP processes, andthere is also a one-to-many relationship between an ERP process andcorresponding virtual indexes that are referred to in a search request.For example, using RDBMS, assume two independent instances of such asystem by one vendor, such as one RDBMS for production and another RDBMSused for development. In such a situation, it is likely preferable (butoptional) to use two ERP processes, to maintain the independentoperation as between production and development data, but both of theERPs will belong to the same family, because the two RDBMS system typesare from the same vendor.

The ERP process 1110, 1112 receives a search request from the searchhead 210. The search head may optimize the received search request forexecution at the respective external virtual index. Alternatively, theERP process may receive a search request as a result of analysisperformed by the search head or by a different system process. The ERPprocess 1110, 1112 can communicate with the search head 210 viaconventional input/output routines (e.g., standard in/standard out,etc.). In this way, the ERP process receives the search request from aclient device such that the search request may be efficiently executedat the corresponding external virtual index.

The ERP process 1110, 1112 may be implemented as a process of the dataintake and query system. Each ERP process may be provided by the dataintake and query system, or may be provided by process or applicationproviders who are independent of the data intake and query system. Eachrespective ERP process may include an interface application installed ata computer of the external result provider that ensures propercommunication between the search support system and the external resultprovider. The ERP processes 1110, 1112 generate appropriate searchrequests in the protocol and syntax of the respective virtual indices1114, 1116 each of which corresponds to the search request received bythe search support system 210. Upon receiving search results from theircorresponding virtual indices, the respective ERP process passes theresult to the search head 210, which may return or display the resultsor a processed set of results based on the returned results to therespective client device.

Client devices 1104 may communicate with the data intake and querysystem 108 through a network interface 1120, e.g., one or more LANs,WANs, cellular networks, intranetworks, and/or internetworks using anyof wired, wireless, terrestrial microwave, satellite links, etc., andmay include the public Internet. This is described in more detail inU.S. Pat. No. 8,738,629, entitled “EXTERNAL RESULT PROVIDED PROCESS FORRETRIEVING DATA STORED USING A DIFFERENT CONFIGURATION OR PROTOCOL”,issued on 27 May 2014, and which is hereby incorporated by reference inits entirety for all purposes.

2.14.1. ERP Process Features

The ERP processes described above may include two operation modes, astreaming mode, and a reporting mode. The ERP processes can operate instreaming mode only, or reporting mode only, or in both modessimultaneously. Operating in both modes simultaneously is referred to asmixed mode operation. Further, it will be appreciated that in mixed modeoperation, the ERP at some point can stop providing the search head withstreaming results and only provide reporting results thereafter, or thesearch head at some point may start ignoring streaming results it hasbeen using and only use reporting results thereafter.

The streaming mode returns search results in real time with minimalprocessing, in response to the search request. The reporting modeprovides results of a search request with processing of the searchresults prior to providing them to the requesting search head, which inturn provides results to the requesting client device. ERP operationwith such multiple modes provides greater flexibility in the performanceof the ERP process with regard to report time, search latency, andresource utilization.

In mixed mode operation, both streaming mode and reporting mode areoperating simultaneously. The streaming mode results (e.g., the raw dataobtained from the external data source) are provided to the search head,which can then process the results data (e.g., break the raw data intoevents, timestamp it, filter it, etc.) and integrate the results datawith the results data from other external data sources, and/or from datastores of the search head. The search head performs such processing andcan immediately start returning interim results to the user at therequesting client device, providing the streaming mode results, whilethe search head is simultaneously waiting for the ERP process to processthe data it is retrieving from the external data source as a result ofthe concurrently executing reporting mode.

In some instances, the ERP process initially operates in a mixed mode,such that the streaming mode operates to enable the ERP quickly toreturn interim results (e.g., some of the raw or unprocessed datanecessary to respond to a search request) to the search head, enablingthe search head to process the interim results and start providing tothe client or search requester interim results that are responsive tothe query. Meanwhile, in this mixed mode, the ERP also operatesconcurrently in reporting mode, processing portions of raw data in amanner responsive to the search query. Upon determining that it hasresults from reporting mode available to return to the search head, theERP may halt mixed mode at that time (or some later time) by stoppingthe return of data in streaming mode to the search head, switching toreporting mode only. The ERP at this point starts sending interimresults in reporting mode to the search head, which in turn may thenpresent this processed data responsive to the search request to theclient or search requester. Typically the search head switches fromusing results from the ERP's streaming mode of operation to results fromthe ERP's reporting mode of operation at the point where the higherbandwidth results from the reporting mode outstrips the amount of dataprocessed by the search head in the lower bandwidth streaming mode ofERP operation.

One reason reporting mode is typically higher bandwidth is because theERP does not have to spend time transferring data to the search head forprocessing all the raw data, and another reason is because the ERP mayoptionally direct another processor to do the processing.

One should recognize that it is not necessary to halt at any point thestreaming mode of operation to gain the higher bandwidth benefits ofreporting mode; the search head could simply stop using the streamingmode results—and start using the reporting mode results—at some point atwhich the bandwidth of the reporting mode has caught up with or exceededthe amount of bandwidth provided by the streaming mode. Thus, a varietyof triggers and ways to accomplish a switch from the search head usingor the ERP transferring streaming mode results to reporting mode resultsmay occur to one skilled in the art.

The reporting mode can involve the ERP process (or an external system)performing event breaking, time stamping, filtering of events to matchthe search query request, and calculating statistics on the results.Whether or not events are the ultimate answer to a search query, orwhether or not statistics are the ultimate answer, depends on the searchquery request specified by the user. The user can request particulartypes of data, such as where the search query itself involves types ofevents, or the search request may ask for statistics on data, such as onevents that meet the search request; either query phrasing is possible.In either case, the search head understands the query language used inthe received query request, which may be a proprietary language. Forexample, the search head may understand the query language used by theassignee of the application, Splunk Inc. (a query language commonlycalled SPL, or Splunk Processing Language) and the search head typicallyunderstands how to use that language to obtain data from the indexerswhich store data in a Splunk-specific format.

The ERP processes support the search head, as the search head is notordinarily configured to understand the format in which data is storedin external data sources such as Hadoop or SQL data systems. Rather, theERP process performs that translation from the format for what has beenrequested by the search query that has been submitted in the searchsupport system's native format (e.g., SPL if SPLUNK® ENTERPRISE is usedas the search support system) to the format in which a search queryrequest will be accepted by the corresponding external data system. Theexternal data systems typically store data in a different format fromthat of the search support system's native index format, and utilize adifferent query language (e.g., SQL or MapReduce, rather than SPL or thelike).

As noted, the ERP process can operate in the streaming mode alone. Afterthe ERP process has performed the translation of the query requestreferred to above, and once the ERP process has returned the raw resultsfrom the streaming mode, the search head can operate on the returneddata and can integrate the returned data with any data obtained fromlocal data sources (e.g., native to the search support system) and fromother external data sources and from other ERP processes (if suchoperations were required to satisfy the terms of the search query).Thus, one advantage of mixed mode operation is that, in addition tostreaming mode, the ERP process is also executing concurrently in thereporting mode, so that the ERP process (rather than the search head) isprocessing query results (e.g., performing event breaking, timestamping,filtering, possibly calculating statistics if required to be responsiveto the search query request, etc.). It should be apparent thatadditional time is needed for the ERP process to perform the processingin such a configuration. Therefore, the streaming mode will allow thesearch head to start returning interim results to the user at the clientdevice before the ERP process can complete sufficient processing tostart returning any search results. The switchover between streaming andreporting mode happens when the ERP process determines that theswitchover is appropriate, such as when the ERP process determines itcan start returning meaningful results from its reporting mode.

The operation described above illustrates the source of operationallatency: streaming mode has low latency (one obtains immediate results)and usually has relatively low bandwidth (fewer results can be returnedper unit of time), whereas the concurrently running reporting mode hasrelatively high latency (it has to perform a lot more processing beforereturning any of the results) and usually has relatively high bandwidth(more results can be processed per unit of time). For example, when theERP process does start returning report results, it returns a more(processed) results than in the streaming mode, because, e.g.,statistics only need to be calculated to be responsive to the searchrequest. That is, the ERP process doesn't have to take time to firstreturn raw data to the search head. As noted, the ERP process could beconfigured to operate in streaming mode alone and return just the rawdata for the search head to process in a way that is responsive to thesearch request (which may have requested certain types of events, orstatistics on those events). Alternatively, the ERP process can beconfigured to operate in the reporting mode only. Also alternatively,the ERP process can be configured to operate in streaming mode andreporting mode concurrently, as described, with the ERP process stoppingthe transmission of streaming results to the search head when theconcurrently running reporting mode has caught up and started providingresults. The reporting mode does not require the processing of all rawdata that is responsive to the search query request before the ERPprocess starts returning results, rather, the reporting mode usuallyperforms processing of chunks of events at a time and returns theprocessing results to the search head for each chunk.

For example, an ERP process can be configured to perform as simply asreturning the contents of a search result file verbatim, with little orno processing of results, such that a search head performs allprocessing such as parsing byte streams into events, filtering, and thelike, or the ERP process can be configured to perform more flexibly,such as analyzing the search request and handling all the computationthat a native search indexer process would otherwise perform. In thisway, the configured ERP process provides greater flexibility in featureswhile operating according to desired preferences in terms of responselatency and resource requirements.

3.0. Functional Overview

Approaches, techniques, and mechanisms are disclosed that enable networksecurity analysts and other users to conduct network securityinvestigations efficiently and to produce useful representations ofinvestigation results. As used herein, a network security investigationgenerally refers to an analysis of one or more detected network eventswhich may pose internal and/or external threats to a computer networkunder management. For example, one or more of the detected networkevents may represent notable events, described above in Section 2.11,which generally may correspond to detected malware infections, unusualnetwork traffic, access failure notifications, etc. In one embodiment, asecurity analyst may conduct such investigations using a networksecurity application such as, for example, the SPLUNK® APP FORENTERPRISE SECURITY described above in Section 2.11.

According to one embodiment, a network security application isconfigured to monitor and log user interactions with the application,also referred to herein as workflow events. For example, as illustratedin FIGS. 9A and 9B, a network security application may generate anddisplay various “dashboards” and other graphical user interfaces (GUIs)that security analysts can use to view and act on various network eventsstored by the system. In this context, user interactions with thesecurity application generally may include any user interaction withrespect to these GUIs and other interfaces such as, for example, viewinga particular dashboard, submitting a search query, filtering a displayeddata set, interacting with a notable event, etc. In one embodiment, inresponse to detecting an occurrence of a particular user interaction, anetwork security application is configured to store a record of the userinteraction in a workflow event log, also referred to as an “actionshistory,” associated with the particular user. Each workflow event logentry, for example, may indicate information about a type of workflowevent that occurred, when the workflow event occurred, which userperformed the workflow event, etc. A collection of workflow events maygenerally represent steps taken by an analyst to investigate one or morenetwork security incidents.

According to one embodiment, a network security application is furtherconfigured to enable users to collect information related to aparticular security investigation easily for display on an interactiveinvestigation timeline. In general, an investigation timeline comprisesa collection of investigation events, some or all of which may beselected for addition to the timeline by one or more users associatedwith the corresponding investigation. Each investigation event generallymay represent either a network event (e.g., an event related to one ormore components of a computer network), a workflow event (e.g., an eventrepresenting a user interaction with the network security application asrecorded in a workflow log), or other custom events created by ananalyst. A collection of events associated with an investigationtimeline, for example, may provide information about the chronology ofan investigation, including both a chronological ordering of theoccurrence of one or more network events, as well as a chronologicalordering of steps taken by one or more analysts to respond to thosenetwork events. A combination of both types of events on the sametimeline may provide valuable insight into the lifespan of a networksecurity investigation that previously was not easy or possible toobtain.

In one embodiment, a network security application is configured togenerate one or more graphical displays that enable a user to view andinteract with a workflow event log and investigation timelines. Forexample, a network security application may provide one or more GUIelements that persist on a user's display as the user navigates variousdashboards and other interfaces of the network security application. Byproviding interfaces which a user can access at virtually any point in anetwork security application, users can more easily compile informationfrom disparate information sources into a single comprehensiveinvestigation resource.

FIGS. 12A and 12B illustrate a workflow log panel and an investigationtimeline panel, respectively, for use in a network security application.FIG. 12A includes an investigation panel 1202 and a workflow event logpanel 1204. FIG. 12B includes an investigation timeline panel 1206. Thecomponents depicted in FIGS. 12A and 12B are presented as high-levelexamples of these features, each described in further detail in separatesections hereinafter. Each of the components of FIGS. 12A and 12Bgenerally represents one or more GUI elements that may be displayedindividually or in conjunction with other interface elements, includingvarious dashboards and other displays of a network security application.

In an embodiment, an investigation panel 1202 generally represents aninterface component which may be used to access various other interfacecomponents related to one or more network security investigations,including workflow event logs, investigation timelines, and otherfeatures. To enable a user to access these features at any time duringuse of a network security application, an investigation panel 1202 maybe configured as a persistent or “ride along” interface component thatis displayed in conjunction with each interface as the user navigates tovarious different interfaces of the application. For example, if a useris currently viewing an “incident review” dashboard of the networksecurity application, an investigation panel may be configured todisplay on some portion of the display (e.g., as a menu bar at the topor bottom of the display). The user may subsequently navigate to adifferent dashboard, and the same investigation panel may continue to bedisplayed in conjunction with the second dashboard interface. In thismanner, a user may seamlessly access and interact with an investigationpanel, associated workflow event logs, and investigation timelines,throughout the user's experience with the network security application.

In an embodiment, a workflow event log panel 1204 is configured todisplay a list of recorded workflow events and enable user interactionwith the historical record of workflow events. As described in moredetail hereinafter, a user may use a workflow event log panel 1204 toview and search for particular workflow events, to configure how thenetwork security application tracks and displays workflow events, and toadd workflow events to one or more investigation timelines.

In an embodiment, an investigation timeline panel 1206 is configured todisplay one or more investigation timelines, including a display ofassociated events at particular locations along the timeline. Forexample, in order to create a representation of a particular networksecurity investigation, a user may select one or more network events andassociated workflow events for addition to the timeline. The user mayfurther add one or more user-generated notes and screenshots to the sametimeline. To facilitate these actions, an investigation timeline panel1206 may provide one or more interface components that enable users tocompile information from various sources into a single timeline display.

In addition to providing interface elements that enable user interactionwith workflow event logs and investigation timelines, as describedabove, a network security application further may be configured togenerate and display one or more GUIs providing an overview of ongoingand completed investigations. In one embodiment, a network securityapplication may provide an investigation management console whichprovides one or more GUIs displaying status information related to oneor more separate investigations. An investigation management consolemay, for example, provide information indicating a current status ofindividual investigations (e.g., in progress, under review, closed,etc.), assignments of each investigation to one or more particularanalysts, an assigned priority level for particular investigations, andvarious aggregate metrics based on information related to a plurality ofthe investigations.

In other aspects, the invention encompasses a computer apparatus and acomputer-readable medium configured to carry out the foregoing steps.

3.1. Investigation Workflow Logging

The process of conducting a network security investigation using anetwork security application generally may involve a large number ofsteps on the part of one or more security analysts responsible for theinvestigation. For example, an investigation may begin with an analystviewing an incident review dashboard (e.g., FIGS. 9A and 9B) andnoticing one or more notable events of interest (e.g., corresponding todetected malware infections, security access violations, etc.). This maylead the analyst to navigate various other dashboards provided by thenetwork security application to conduct searches, review other storedevents, and generally attempt to provide a context for the notableevent(s) relative to other stored network events. As the analyst reviewsthe information, the analyst may further produce various notes and otheruser-generated content relating to the analyst's insight into a cause ofthe events. Details about these steps may provide valuable informationabout how an analyst (or team of analysts) is responding to particularnetwork security incidents.

In one embodiment, to provide access to such information about ananalyst's actions during an investigation, a network securityapplication is configured to monitor and record information about users'interactions with the network security application entries in a“workflow event log.” In general, each entry in a workflow event logcomprises information about a corresponding user action including thetype of user action, a time the user action occurred, an identity of theuser that performed the action, etc. For example, types of workflowevents that may be recorded in a workflow event log may correspond to auser viewing a particular dashboard, submitting a search query using adashboard interface, filtering a data set displayed by one or moredashboard elements, changing the status of a notable event, or any otheruser action that may be detected by the network security application.

In one embodiment, in addition to monitoring and recording workflowevents, a network security application is configured to generate andcause display of one or more GUI elements which display and enable userinteraction with stored workflow log entries. In general, these GUIelements may be displayed in conjunction with other interfaces of anetwork security application, enabling users to easily access andutilize aspects of a workflow event log as the analyst navigates variousdashboards and other interfaces of the network security application.

FIG. 13 depicts an example of a workflow event log panel overlaying adashboard of a network security application. In FIG. 13, a workflowevent log panel 1302 includes a search bar 1304, a workflow event typefilter 1306, and a workflow event list 1308. A workflow event log panel1302 may be displayed, for example, in response to a user selecting anevent log icon 1310 displayed on an investigation panel 1312, or“investigation bar.” As indicated above, an investigation panel 1312 mayrepresent a persistent interface component that is displayed as a usernavigates various interfaces of the network security application. Asdepicted in FIG. 13, the display of the workflow event log panel 1302may include overlaying the panel on a currently displayed dashboardinterface 1314.

In an embodiment, a workflow event log panel 1302 generally displays alist of workflow events in a workflow event list 1308. Each workflowevent displayed in the workflow event list 1310 may, for example,correspond to an action previously taken by a user with respect to oneor more user interfaces of the network security application. In FIG. 13,workflow event list 1308 displays a number of workflow events groupedinto separate timespans (e.g., “Today—Thursday, Mar. 5, 2015” and“Yesterday—Wednesday, Mar. 4, 2015”). Workflow log events displayed in aworkflow event list 1310 generally may be grouped in any manner fordisplay, including by week, by day, by hour, by event type, or any othergrouping.

In FIG. 13, each of the individual workflow log events in the workflowevent list 1308 is displayed with an associated selection box (e.g.,selection box 1316), an event label (e.g., event label 1318), and anevent type icon (e.g., event type icon 1320). In an embodiment, aselection box enables a user to select one or more particular eventsfrom the workflow event list to perform one or more operations withrespect to the selected events (e.g., to add the event(s) to aninvestigation timeline, modify the event(s), delete the event(s), etc.).The addition of workflow events to an investigation timeline isdescribed in more detail hereinafter in Section 3.2. In one embodiment,workflow events may be selected to “re-run” the recorded actions. Forexample, if a workflow event in event list 1308 corresponds to a searchconducted on a particular dashboard, a user may select the correspondingevent to cause the previous search results to be redisplayed, or thesearch may be reprocessed for more current results.

In an embodiment, a workflow event label 1318 provides a textualdescription of a workflow event. For example, if a particular workflowevent corresponds to a user viewing a particular dashboard, a label forthe workflow event may indicate a title of the dashboard viewed (e.g.,“Malware Operations”). As another example, if a particular workflowevent corresponds to a user submitting a search query, an associatedevent label may indicate a search string and/or search parameterssubmitted by the user for the search. In an embodiment, a workflow eventtype icon 1320 displays a particular icon depending on a type of thecorresponding workflow event. For example, each workflow event of aworkflow event list 1310 may be associated with a different icondepending on whether the workflow event corresponds to a dashboard view,a search, a data set filter, interaction with a notable event, etc.

In an embodiment, a workflow event type filter 1306 enables a user toselect and/or deselect one or more particular types of workflow eventfor display in a workflow event list 1308. For example, a particularuser may not desire to view workflow events that correspond to recordedinstances of the user viewing particular dashboards. In this example,the user may deselect the “dashboards viewed” event type from the list,thereby causing workflow events of that type to be hidden from theworkflow event list 1308 while displaying workflow events of othertypes.

FIG. 14 illustrates various associated interfaces of a workflow logpanel, including a workflow log settings panel and an expanded workflowlog panel. Similar to the workflow event log panel 1302 of FIG. 13,workflow event log panel 1402 displays a standard or “default” view of aworkflow event log, including a list of workflow events and variousinterface elements for interacting with the workflow events.

In one embodiment, a user may select an interface element of a workflowevent log panel 1402 or provide other input to cause display of aninterface for configuring one or more settings associated with aworkflow event log. For example, a workflow event log settings panel1404 may be displayed in response to a user selecting configuration icon1408 of a workflow event log 1402. In general, a workflow event logsettings panel 1404 may display various interface elements that enable auser to configure how the network security application tracks anddisplays workflow events for one or more particular users. In FIG. 14,for example, a settings panel 1404 includes a selectable list ofworkflow event types (e.g., dashboard views, searches, filters, notableevent suppressions, and notable event status changes). In an embodiment,the selection of particular event types in a settings panel 1404 maydetermine which types of workflow events are tracked by the networksecurity application and/or which types of workflow events are displayedin a workflow event log panel 1402 and/or detailed workflow event logpanel 1406.

In an embodiment, a detailed workflow event log panel 1406 provides aview of a workflow event log, where each displayed work event may bedisplayed with more detailed information about the events than thatdisplayed in a standard workflow event log panel 1402. For example, inaddition to the information displayed in a workflow event log panel 1402for each workflow event, each event displayed in a detailed workflowevent log panel 1406 may include information indicating timestampinformation and a more detailed label describing the event. In oneembodiment, a detailed workflow event log panel 1406 may be displayed,for example, in response to a user selecting an expansion icon 1410 on astandard workflow event log panel 1402.

FIG. 15 depicts an example of a detailed workflow log panel overlaying adashboard interface. As described above in reference to FIG. 14, adetailed workflow log panel 1502 may be displayed, for example, inresponse to a user selecting a workflow display expansion icon 1504(which also may be used to revert the display of the workflow eventpanel to a standard size as depicted in FIG. 13). A detailed workflowlog panel 1502 may further include additional interface elements used tomodify a currently displayed set of workflow events, such as a calendarpicker, other search interface elements, etc.

In addition to automatically monitoring and logging user interactions ina workflow event log, a network security application may also provideone or more interface components that enable users to create and storeuser-generated information related to a security investigation. In oneembodiment, a network security application includes a notes module and ascreenshot module. In general, each of these modules provides one ormore interface components that enable users to provide information thatis saved by the security system and which users may associate with oneor more investigation timelines, as described in Section 3.2.

FIG. 16, for example, illustrates a notes panel that enables users tostore user-generated notes related to one or more investigations. In anembodiment, a notes panel 1602 generally enables a user to providevarious types of user-generated content, including text, images, links,etc., which may be saved by the network security application and which auser may associate with one or more investigation timelines, asdescribed in more detail in Section 3.2. For example, during aparticular security investigation, a user may create one or more notesto record a user's observations related to particular network events orother aspects of the investigation as the user reviews variousdashboards and other information.

In FIG. 16, a notes panel 1602 may be displayed, for example, inresponse to a user selecting a notes icon 1606 displayed on aninvestigation panel 1608. In an embodiment, a notes panel 1602 generallymay include a search bar and a list of previously created notes. Aseparate notes panel 1604 displaying a particular note may be displayed,for example, in response to a user selecting a particular note from thenotes list displayed in the notes panel 1602 for modification, or inresponse to selecting an icon to create a new note. Notes panel 1604generally may enable a user to provide any type of input including text,links, images, etc. to save as a note.

FIG. 17 illustrates a screenshot panel that enables users to recordscreenshots within a network security application. In an embodiment, ascreenshot panel 1702 generally enables a user to capture a screenshotat any point during the use of a network security application. Ascreenshot in this context generally refers to an image file thatrecords some or all of a currently displayed interface. For example, ifa user is currently viewing a particular dashboard of the networksecurity application, the user may use a screenshot panel 1702 to recorda copy of the dashboard as it is displayed, or some portion thereof.

In FIG. 17, a screenshot panel 1702 may be displayed, for example, inresponse to a user selecting a screenshot icon 1706 on an investigationpanel 1708. In an embodiment, a screenshot panel 1702 may include asearch bar, a list of previously created screenshots, and various optionicons. In general, a screenshot panel 1702 may be configured to enable auser to capture a screenshot, associate a label or other descriptiveinformation with each captured screenshot, and to add capturedscreenshots to an investigation timeline. Option icons 1710 may includea number of selectable icons that enable a user to perform one or moreactions, including creating a new screenshot, editing an existingscreenshot, deleting a previously created screenshot, and otheroperations. A separate screenshot upload panel 1706 may be displayed,for example, in response to a user selection of a particular option icon1710 and enable a user to upload a screenshot file captured outside ofthe network security application.

3.2. Investigation Timelines

A security analyst conducting a network security investigation mayreview a large amount of information from many different sources duringthe investigation. For example, an analyst may initiate a securityinvestigation in response to reviewing an incident review dashboard andidentifying one or more notable events of interest. In response, theanalyst may review any number of different dashboards and otherinterfaces of the network security application to analyze the notableevent(s) and to locate other possibly related network events stored bythe network security application. While reviewing each of thesedashboards, the analyst may perform one or more searches and/or datafilters to further locate other events and data of interest. As the userlocates and analyzes such data, the user may take various notes andrecord other information related to the investigation. Some or all ofthese actions taken by an analyst during a security investigation may berecorded as workflow events as part of a workflow log, as describedabove in reference to Section 2.1.

In one embodiment, to facilitate the creation of an organizedrepresentation of the various events, user actions, notes, etc. that maycomprise a security investigation, a network security applicationenables users to create and view investigation timelines. In general, aninvestigation timeline is a stored representation of an investigationand may be associated with various types of data including networkevents, workflow events, user-generated data (e.g., notes andscreenshots), and other information. In one embodiment, a display of aninvestigation timeline may be generated by displaying one or moregraphical indications at various points along a timeline, each of thegraphical indications representing a particular event or other datapoint. The creation and display of investigation timelines may, forexample, assist analysts and other users with a better understanding ofthe chronology of events and other information that comprise a securityinvestigation.

In one embodiment, a network security application provides various GUIelements that enable users to easily create and view investigationtimelines during use of the application. Similar to the workflow logpanels described above in Section 3.1, a network security applicationmay provide an investigation timeline panel which may be displayed inconjunction with other interfaces of the network security application.By providing an investigation timeline panel that is generallyaccessible across a user's experience with the security application,users can easily compile information into the timeline as the userreviews data from a possibly large number of disparate sources (e.g.,various dashboards and other interfaces).

FIG. 18 illustrates an investigation timeline panel displayed inconjunction with a dashboard interface. In FIG. 18, a timeline panel1802 is displayed overlaying a dashboard interface 1804. In anembodiment, a timeline panel 1802 may include zero or more timelineevents (e.g., timeline events 1806), a timeline options panel 1808, andzoom icons 1810, among other possible elements.

In an embodiment, timeline events 1806 represent one or more events thathave been added to the particular investigation timeline, represented bygraphical indications that are displayed at a particular location on theinvestigation timeline. In general, a location at which each timelineevent 1806 is displayed on an investigation timeline may correspond totimestamp information associated with the event. For example, if one ormore of the events 1806 represents a network event, the network event isassociated with timestamp information that is stored with the networkevent when the event is created. The location at which the networkevents may be displayed on the timeline thus may correspond to thetimestamp information associated with the events.

In an embodiment, zoom icons 1810 may be selected to modify a span oftime currently displayed on the investigation timeline. For example, atimeline panel 1802 by default may display a timespan such that allevents associated with the timeline are displayed in the view, or thetimeline may display a set period of time (e.g., a year, a month, etc.).To adjust the display of the timeline to focus on particular timespans,zoom icons 1810 may be used to increase or decrease the span of timecurrently displayed in the timeline. As described in more detail inreference to FIG. 32, depending on a current zoom level and an amount ofdisplay room available, events may be displayed on the timeline usingseparate graphical indications, or using a grouped indication if, forexample, there is insufficient space to display the graphicalindications separately on the timeline.

FIG. 19 illustrates an interface for adding an event to an investigationtimeline. In FIG. 19, a dashboard interface 1902 includes a detailedevent display 1904, which includes an event action button 1906. Thedetailed event display 1904 may be displayed, for example, in responseto a user selection of a particular event displayed in a particulardashboard, using one or more search options to search for a particularset of events, and/or selecting an event of interest from a searchresult list. In an embodiment, an event action button 1906 provides amenu that generally enables a user to select one or more actions toperform with respect to the displayed event. For example, an eventaction button 1906 may include options to identify the event as anotable event, to extract fields from the event, and to show the sourceof the event.

In one embodiment, an event action button 1906 may include an option toadd the associated event to an investigation timeline. For example, auser viewing a particular event may determine that the selected event isrelevant to an ongoing investigation, or decide that a particular eventis a worthy focus of a new investigation. In such instances, forexample, the user may select an option from a menu displayed by an eventaction button 1906 to add the currently displayed event to aninvestigation timeline. In response to receiving the user's selection,the event may be automatically added to a particular investigationtimeline (e.g., an investigation timeline currently displayed ininvestigation timeline panel 1904). In another example, a user may beprompted to select a particular investigation timeline to which theevent is to be added.

FIG. 20 depicts an example interface displayed in response to an eventbeing added to an investigation timeline. For example, the dashboardinterface 2002 of FIG. 20 may be displayed in response to a userselecting an option from the menu generated by event action button 1904to add the event associated with the event detail 1902 to aninvestigation timeline, as described above in reference to FIG. 19.

In FIG. 20, a detailed event display 2004 displays associated timelineinformation 2006, which generally may indicate information about one ormore investigation timelines to which the event has been added. In FIG.20, for example, the timeline information 2006 displays the label of aparticular investigation timeline to which the event has been added(e.g., “My_Investigation_Timeline_0306151008”, corresponding to theinvestigation timeline displayed in panel 2008) and a progress barindicating that the event is in the process of being added to theinvestigation timeline. In an embodiment, an event selected for additionto an investigation timeline generally is added to the timeline at alocation corresponding to timestamp information associated with theevent. In other examples, a user may select a location on the timelineto display an event that is different from a timestamp associated withthe event, if desired.

In an embodiment, similar to the addition of a network event to aninvestigation timeline, a user may use a workflow event log panel orother interface component to add one or more workflow events to aninvestigation timeline. For example, as described above in reference toFIG. 13, a user may use a workflow event log panel to select one or moreparticular workflow events and to perform one or more actions withrespect to the selected events. In one embodiment, an action may includeassociating the selected workflow events with one or more particularinvestigation timelines.

FIGS. 21 and 22 depict example interfaces for adding a note orscreenshot at a particular location on an investigation timeline. InFIG. 21, for example, an investigation timeline panel 2102 includes auser-generated event indication 2104, which includes separate selectableicons for creating a note or a screenshot. The user-generated eventindication 2104 may be displayed, for example, in response to a userselecting a particular point on the timeline of the displayedinvestigation timeline panel 2102. For example, a user may desire torecord a note or screenshot related to one or more temporally proximateevents on the timeline, or associate a previously created note orscreenshot (e.g., using the notes or screenshot module described abovein reference FIGS. 16 and 17) with a particular timeline location.

FIG. 22 illustrates an example interface for adding a screenshot at aselected location on an investigation timeline. Similar to FIG. 21, aninvestigation timeline panel 2202 includes a user-generated eventindication 2204, which a user may use to indicate a desire to add ascreenshot at the selected location on the investigation timeline. Ascreenshot bounding box 2206 may be provided to enable a user to selecta particular portion of a currently displayed interface. For example, auser may desire to save as a screenshot one or more particular dashboardelements, or the user may save an entire display.

FIG. 23 illustrates a sample interface for assigning one or more usersto an investigation. In an embodiment, assigning a user to a particularinvestigation timeline generally may grant the user permission to viewand modify the investigation timeline, although various permissionlevels are possible. For example, certain users may be assigned to aparticular timeline with view-only permissions, while others may bepermitted to view and modify the timeline. Further, permissions may beset that allow or disallow users from assigning additional users to aparticular investigation.

In FIG. 23, an investigation timeline panel 2302 includes analystassignment icons 2304, which generally may enable a user to add orremove other users' access to the particular timeline. For example, if auser selects a particular analyst assignment icon 2304, the user may bepresented with a searchable list of other users of the network securityapplication who may be added to the investigation timeline. Analysticons 2304 may further display graphical indications representing eachuser currently assigned to the timeline, for example, and provide theability to select particular users for removal.

As described above in reference to FIGS. 19-23, a network securityapplication may provide any number of mechanisms for adding networkevents, workflow events, and other information to an investigationtimeline. When viewing a particular investigation timeline, or whenviewing a particular event, it may often be useful to be able tonavigate from one to the other. For example, an analyst may be viewing aparticular timeline and desire more information about a particular eventdisplayed on the timeline. In one embodiment, in response to receivinginput from the user requesting additional information about an eventdisplayed on a time, a network security application may be configured tocause display of an interface providing information about the selectedevent. For example, a user may select a particular graphical indicationof an event displayed on a timeline panel and, in response, an interfacemay be displayed with detailed information about the event, such as thedetailed event display 1904 of FIG. 19. Similarly, a user viewing aparticular event of interest in a dashboard or other interface mayselect an interface element that causes display of one or more timelineswith which the event is associated, if any.

FIG. 24 illustrates an example interface for displaying a list ofinvestigations to which a particular user is currently assigned. In FIG.24, an investigation panel 2402 is currently displayed in a collapsedstate, without display of an associated timeline panel above theinvestigation panel 2402. In one embodiment, investigation panel 2402includes an investigation list button 2404 that is configured to displaya timeline list panel 2406 upon user selection. In an embodiment, atimeline list panel 2406 generally is configured to display a list ofinvestigation timelines to which the user is currently assigned, forexample, either because the user created the investigation timelines orwas assigned to the timelines by another user. In an embodiment, a usermay select a particular investigation timeline from the list displayedin the panel 2406 to cause the selected timeline to become the activetimeline, meaning the timeline is displayed for the user in a timelinepanel when requested. In this manner, a user can easily toggle betweentwo or more investigation timelines to which the user is currentlyassigned.

FIG. 25 illustrates an interface displaying an investigation timeline,where the investigation timeline includes multiple types of eventsdisplayed on the same timeline. In FIG. 25, an investigation timelinepanel 2502 is displayed including several graphical indications ofevents 2504. In an embodiment, each of the graphical indications ofevents 2504 includes various graphical elements that provide informationabout the event, including a type of event (e.g., a network event,workflow event, note, screenshot, etc.), a label for the event, and oneor more users associated with the event (e.g., a user that selected aparticular network event for addition to the timeline, a user associatedwith a particular workflow event, a user that created a particular noteor screenshot, etc.). For example, each of the graphical indications ofevents 2504 may be displayed using a different color and/or shapedepending on a type of event. As another example, each of the graphicalindications may include a user's initials or other indication of theuser associated with the event.

In one embodiment, the events associated with a particular investigationtimeline may be displayed in one or more alternative formats. As oneexample, a network security application may be configured to display a“storyboard” representation of an investigation timeline, enabling usersto progress through a display of detailed information about each eventof an investigation timeline in an order based on the display of theevents in the timeline. FIG. 26 illustrates an investigation timelinedisplayed in conjunction with an investigation storyboard. In FIG. 26,for example, an investigation timeline panel 2602 is displayed adjacentto a corresponding storyboard panel 2604. Although both of theinvestigation timeline panel 2602 and the storyboard panel 2604 aredisplayed on the same display in FIG. 26, in other examples each of thepanels may be displayed independently from one another.

In an embodiment, a storyboard panel 2604 generally may enable a user toprogress through a series of events associated with a particularinvestigation timeline in a chronological fashion, for example, byclicking on the arrows on the left and right sides of the storyboardpanel 2604. This view may assist a user reviewing the events of aparticular investigation timeline by providing an interactive “story” ofthe events associated with a particular investigation. When a particularevent is focused in the storyboard panel 2604, for example, thecorresponding event may be highlighted or otherwise noted in theinvestigation timeline panel 2602. Similarly, if input is receivedselecting a particular event displayed on the investigation timelinepanel 2602, a detailed view of the event may be displayed in thestoryboard panel 2604.

In an embodiment, a storyboard panel 2604 generally may include an eventinformation region 2606 that displays detailed information about theparticular event. For example, the information displayed about aparticular event may include timestamp information, some or all of theraw data associated with the events, and other information. A storyboardpanel 2604 may further include user-annotated information aboutparticular events, including a label for the event, notes about theparticular event, and other information. For example, a user may selectuser annotation region 2608 to create or modify one or more annotationsfor a currently displayed event. Separate timestamp information may berecorded for user annotations indicating when a user provided aparticular annotation and/or when the annotation information was lastupdated.

FIGS. 27-29 each illustrate various interface elements of aninvestigation timeline panel that enable a user to specify informationabout an investigation associated with the displayed timeline, includingan investigation status, priority level, and visibility level. Asdescribed in more detail in reference to an investigation managementconsole described in Section 3.3, the provided information generally mayenable a network security manager or other user to better categorize,prioritize, staff, and review a number of currently ongoinginvestigations.

FIG. 27 illustrates an interface element for assigning an investigationstatus to an investigation timeline. In FIG. 27, an investigationtimeline panel 2702 is displayed and includes an investigation statusselector 2704. A user may use an investigation status selector 2704, forexample, to assign a particular completion status (e.g., in progress,under review, closed) to an investigation associated with the displayedinvestigation timeline. The ability for a particular user to change theinvestigation status for a particular investigation timeline and tochange other investigation status information described in FIGS. 28 and29 may depend on whether the user has permission to modify informationabout the investigation.

FIG. 28 illustrates an interface element for assigning a priority levelto an investigation timeline. In FIG. 28, an investigation timelinepanel 2802 includes a priority level selector 2806. For example, a usermay use priority level selector 2806 to assign a particular prioritylevel (e.g., critical, high, medium, low, info) to the investigationassociated with the displayed investigation timeline. A priority levelassociated with each investigation may be used, for example, to assist anetwork security manager or other user in prioritizing investigationsfor completion and to decide which and how many analysts to assign toparticular investigations.

FIG. 29 illustrates an interface element for selecting visibility accesscontrols for an investigation timeline. In FIG. 29, an investigationtimeline panel 2902 includes a visibility level selector 2904. In anembodiment, a user may use the visibility level selector 2904 to specifya user or group of users that are permitted to view the associatedinvestigation timeline.

FIG. 30 illustrates an investigation timeline-specific interface. In anembodiment, an investigation timeline-specific interface 3002 may, forexample, provide various different views of a particular investigationtimeline, including a storyboard view (as illustrated in FIG. 26), andan event list view. An investigation timeline-specific interface 3002may further provide one or more interface components for filtering a setof events currently displayed on an investigation timeline. For example,a user may use an event type filter 3004 to specify particular types ofevents (e.g., all events, network events, notable events, user-generatednotes and screenshots, and workflow events) to display on an associatedinvestigation timeline. A user may use an event type filter 3004, forexample, to generate different displays of a particular investigationtimeline without actually adding or removing any of the associatedevents from the timeline. In FIG. 30, for example, an investigationtimeline is displayed in a storyboard format in panel 3006, with acorresponding timeline view displayed in panel 3008.

FIG. 31 illustrates an event list display for a collection of eventsassociated with a particular timeline. For example, an event list 3102may display in table form a list of the events associated with aparticular investigation timeline, enabling users to sort the eventsassociated with an investigation timeline based on various eventattributes (e.g., timestamp information, event label, event type, etc.).In an embodiment, a user may use an event list 3102 to select one ormore events for removal from the associated timeline, or to performother operations on selected events.

In the previous examples, the investigation timelines generallydisplayed a separate graphical indication for each event associated withthe span of the timeline currently in view. However, in some instances,many events associated with a timeline may be associated with arelatively short period of time. In these instances and at particularzoom levels of the timeline, the timeline may not have room toaccommodate display of the graphical indications representing each ofthe temporally proximate events. In one embodiment, to facilitatedisplay of a large number of events that may occur relatively close intime to one another, generation of a timeline view may include groupingtwo or more events into a single graphical indication.

FIG. 32 illustrates displaying a group of events based on a timelinezoom level. In FIG. 32, an investigation timeline 3202 is displayed,including a number of graphical event indications at various points onthe timeline, including an event group 3204. In an embodiment, whereasother events on the timeline are displayed using a single graphicalflag, an event group 3406 is displayed as a stacked group of flags toindicate that the graphical indication represents more than one event.The events may be grouped, for example, because at the current zoomlevel of the timeline, display of the events individually may otherwiseresult in an overly cluttered display of the events. In general, anytype of graphical representation may be used to indicate that aparticular graphical indication on a timeline represents an event group.

As indicated above, the grouping of particular events displayed on atimeline may depend on a current zoom level of the timeline, and eventsdisplayed as a group at one zoom level may be displayed separately atanother zoom level. For example, investigation timeline 3206 representsthe same investigation timeline 3202 displayed at a different zoomlevel. For example, a user may have zoomed in on the temporal regionsurrounding the event group 3206 by clicking on the graphical indicationrepresenting the event group 3206, or using the zoom icons. As depictedin the investigation timeline 3206, each of the events of the eventgroup 3204 is now displayed as a separate graphical indication at aseparate point along the timeline. If a user later zooms out thetimeline display view, the graphical indication representing event group3204 may re-collapse into a single graphical indication, as depicted intimeline 3202.

3.3. Investigation Management

In an embodiment, in addition to providing interfaces for creating andviewing individual investigation timelines, a network securityapplication may provide one or more interfaces for managing and viewinginformation related to any number of ongoing and/or completedinvestigations. One example of an interface for displaying informationabout a plurality of investigations is referred to herein as aninvestigation management console. In general, a management console mayprovide a single interface in which an analyst, network security teammanager, or other user can easily view the status of a plurality ofinvestigations, view aggregate information for the plurality ofinvestigations, and easily navigate between investigations.

FIG. 33 illustrates an example investigations management console. InFIG. 33, a management console interface 3302 includes an aggregateinformation panel 3304, one or more investigation filters 3306, and aninteractive investigations list 3308.

In one embodiment, aggregate information panel 3304 provides any numberof various metrics that may be derived from a set of investigations. InFIG. 33, for example, aggregate information panel 3304 includes a metricindicating a total number of active investigations, a leaderboardtracking a number of investigations completed by different analysts, anda “kill chain” metric. In this context, a kill chain generally refers toan estimated overall health of a computer network based on a stageassociated with one or more individual network security incidents. Inone embodiment, a kill chain metric may be derived based on calculatinga stage associated with each individual investigation timeline stored bythe security application, and taking an average of the associatedstages.

In an embodiment, an interactive investigations list 3308 provides atable display of any number of investigations, which may be sorted andfiltered based on desired criteria. For example, a user may use one ormore investigation filters 3306 to filter the displayed list ofinvestigations based on which users are assigned to each investigation,based on a status associated with each investigation, based on apriority level associated with each investigation, or based on a keywordsearch. Furthermore, an investigations list 3308 may be sorted, forexample, based on various attributes associated with each investigationincluding a creation date, a last update date, an investigation label,users assigned to each investigation, investigation statuses,investigation priority levels, etc.

In one embodiment, a user may search for particular investigationtimelines based on various search parameters. FIG. 34 illustrates aninterface for searching for investigations. In FIG. 34, aninvestigations search interface 3402 includes search parameter inputs3404 and results list 3406.

In an embodiment, search parameter inputs 3404 generally include variousinterface elements for a user to provide various search parameters tonarrow a search for particular investigations. Examples of searchparameter inputs 3404 include an input element to select particularinvestigation statuses (e.g., active, completed, deferred, etc.), aninput element to select particular analysts or groups of analystsassigned to investigations, an input element to specify one or more tagsassociated with investigations, and an input element to specify one ormore timeframes (e.g., last 24 hours, last week, last year, etc.)associated with investigations (e.g., created date, last updated date,completed date, etc.)

In one embodiment, individual investigations displayed in a managementconsole list or elsewhere may be selected for refinement in a dedicatedinvestigation timeline display. For example, FIG. 35 illustrates acanvas for refining an investigation timeline. In an embodiment, aninvestigation timeline canvas interface 3502 may provide a full screendisplay of a particular investigation timeline and associated events.For example, a user may use a timeline canvas interface 3502 to add toor remove particular events from a timeline, modify the location orinformation associated with existing timelines, and/or perform othertimeline operations in a larger, dedicated interface.

FIG. 36 illustrates an interface for adding an asset to aninvestigation. For example, an asset generally may represent a componentassociated with a particular computer network such as, for example, ahost device, user account, or other computer network component. Aparticular asset may, for example, be associated with one or more eventsof an investigation timeline. For example, if one particular eventassociated with an investigation timeline represents a security accessviolation, an asset associated with that event may include a compromiseduser account associated with the security access violation. In anembodiment, an asset panel 3602 may include one or more interfacecomponents for adding, removing, or modifying assets associated with aparticular investigation timeline. Similarly, FIG. 37 illustrates aninterface for displaying assets associated with a particularinvestigation timeline. For example, an asset interface 3702 may includea number of grouped lists of assets, where the groups may correspond tocompromised systems, compromised accounts, etc.

4.0. Implementation Examples 4.1. Generating Investigation TimelineViews

FIG. 38 illustrates an example flow 3800 for generating an investigationtimeline view including a plurality of event indications, according toan embodiment. The various elements of flow 3800 may be performed in avariety of systems, including systems such as system 100 describedabove. In an embodiment, each of the processes described in connectionwith the functional blocks described below may be implemented using oneor more computer programs, other software elements, and/or digital logicin any of a general-purpose computer or a special-purpose computer,while performing data retrieval, transformation, and storage operationsthat involve interacting with and transforming the physical state ofmemory of the computer.

At block 3802, one or more first events stored by a data intake andquery system are identified, each first event of the one or more firstevents corresponding to a computer network security event. In general,the identified events may correspond to events for display on aninvestigation timeline view. For example, a network security applicationmay identify events associated with a particular investigation timelineview in response to a request for display of the investigation timeline(e.g., display of an investigation timeline 1802 in conjunction with adashboard interface, as illustrated in FIG. 18).

In one embodiment, the identified one or more first events may includenetwork events selected by one or more users for addition to aparticular investigation timeline. For example, referring to FIG. 19, auser may be viewing an interface displaying of one or more networkevents, and the user may select particular network events for additionto a particular investigation timeline (e.g., using an event actionbutton 1906). In an embodiment, the selection of one or more particularevents by a user for addition to a particular investigation timeline mayinclude generating a reference to the event data stored by the dataintake and query system and which is stored as part of the investigationtimeline. In another embodiment, in response to selection of one or moreparticular events for addition to an investigation timeline, a networksecurity application may create a separate copy of the events forstorage in association with the investigation timeline.

In an embodiment, one or more network events associated with aninvestigation timeline may be added to an investigation timelineautomatically. For example, one or more notable events may beautomatically associated with a particular investigation timeline basedon a severity level or other attributes associated with the notableevents. As another example, one or more events may be automaticallyadded to a timeline based on a relationship determined between theautomatically added events and one or more events previously selectedfor addition to the timeline by a user.

At block 3804, one or more second events stored by the data intake andquery system are identified, each second event of the one or more secondevents corresponding to an occurrence of a user action recorded by thedata intake and query system. For example, as illustrated by FIGS.13-15, the one or more second events may include workflow log eventsselected by a user from a workflow event log for addition to aparticular investigation timeline.

In an embodiment, one or more other types of events may be identifiedfor display on an investigation timeline, including one or more notesand/or screenshots created by a user and saved in association with aparticular investigation timeline. For example, a user may create andsave the notes and/or screenshots in association with a particularinvestigation timeline using a notes and/or screenshot module, asdescribed in reference to FIGS. 16-17, or by adding the notes and/orscreenshots directly to particular locations on an investigationtimeline, as described in reference to FIGS. 21-22.

At block 3806, a timeline view is generated including a plurality ofgraphical event indications, the plurality of graphical eventindications including (a) at least one first graphical event indicationcorresponding to an event from the first events, and (b) at least onesecond graphical event indication corresponding to an event from thesecond events. In one embodiment, generating a timeline view may includegenerating presentation information that specifies one or more graphicalindications for display and a location on a timeline where to displaythe graphical indications. For example, in reference again to FIG. 18,display of an investigation timeline 1802 may be based on presentationinformation generated by a security application that indicates how andwhere to display the investigation timeline and various elementsthereof. The presentation information generally may include any of, forexample, HTML, CSS, graphic images, and/or any other informationspecifying how to display an investigation timeline at a client device.

In an embodiment, generating the timeline view may include configuringeach of the plurality of graphical event indications for display at alocation on the timeline view based on a timestamp associated with arespective event. For example, each network event, workflow event, anduser-generated event generally may be associated with timestamp data,and a network security application may generate a timeline view suchthat a graphical indication of each event associated with the timelineis displayed at a location on the timeline corresponding to the event'stimestamp data.

At block 3808, a network security application causes a graphical userinterface including the timeline view to be displayed. For example, thepresentation information indicating one or more graphical indicationsfor display on an investigation timeline, and information indicating alocation where to display each graphical indication on the timeline, maybe sent to a client device that then displays the timeline according tothe presentation information.

In one embodiment, generating a timeline view may include generating aportable representation of the timeline view. For example, a portablerepresentation of a timeline view may comprise any data representationof the investigation timeline that enables the timeline view to bedisplayed and possibly modified outside of the network securityapplication. One example of a portable representation may include acollection of HTML, XML, image files, etc. that enable users to view aninvestigation timeline in other applications.

4.2. Generating Workflow Event Log Views

FIG. 39 is a flow diagram 3900 that illustrates monitoring and logginginvestigation workflow events and causing display of a workflow eventlog view, according to an embodiment. At block 3902, a network securityapplication causes display of a graphical user interface including aplurality of interface elements. In an embodiment, each interfaceelement of the plurality of interface elements is related to one or moreevents stored by a data intake and query system, where each event of theone or more events is related to one or more performance characteristicsof one or more computing devices.

In one embodiment, a graphical user interface displayed by the networksecurity application generally may include any dashboard or otherinterface of a network security application. For example, the interfacemay be displayed in response to a user selecting a particular dashboardof interest to view while navigating the network security application.An interface element of a graphical user interface may include anyaspect of the interface, including a search bar, a data filter,displayed text or icons (e.g., text or icons representing one or morenotable events).

At block 4004, an indication of an occurrence of a user action involvingone or more interface elements of the plurality of interface elements isreceived. For example, in response to a user interacting with aparticular interface element, the interface element may be configured tocause data to be recorded about the interaction by the network securityapplication. The indication of the occurrence of the user actiongenerally may include, for example, a request generated directly by theuser action (e.g., submission of a search query, or a request to view aparticular dashboard) or comprise an indication specifically generatedto notify the network security application of the action's occurrence(e.g., a trigger associated with an interface element that sends anindication to the network security application in response to a userinteracting with the interface element).

At block 4006, in response to receiving the indication of the occurrenceof the user action, the network security application stores a particularlog entry in a workflow log describing the user action. In anembodiment, information stored as part of a particular log entry mayinclude, for example, an identification of the particular interfaceelement involved in the user action, a time at which the actionoccurred, an identity of the user causing the action, etc. In general,log entries of a workflow event log may be stored in any format. In oneembodiment, workflow log entries may be stored in a format similar tonetwork events, where each workflow log entry is stored as acorresponding “workflow event” by the network security application.

At block 4008, a network security application causes display of aworkflow log view in conjunction with the graphical user interface, theworkflow log view displaying information describing a plurality of logentries including the particular log entry. In general, display of aworkflow log view in conjunction with the graphical user interface mayinclude displaying the workflow log view at a particular location aspart of the graphical user interface, displayed overlaying one or moreportions of the graphical user interface, or displayed in a separateuser interface. For example, in reference to FIG. 13, a network securityapplication may cause display of a workflow log view overlaying one ormore dashboards or other interfaces, where the workflow log viewdisplays one or more recorded workflow events. In an embodiment, displayof information describing a plurality of workflow log entries mayinclude, for example, an indication of a type of the workflow event, alabel for the workflow event, a time at which the workflow eventoccurred, etc.

4.3. Generating Management Console Views

FIG. 40 is a flow diagram 4000 that illustrates generation of aninvestigation management console display, according to an embodiment. Atblock 4002, a network security application causes display of a graphicaluser interface including a plurality of interface elements representinga plurality of investigation timelines. In an embodiment, eachinvestigation timeline of the plurality of investigation timelines isassociated with: (a) one or more first events corresponding to computernetwork security events stored by a data intake and query system; and(b) one or more second events corresponding to occurrences of useractions recorded by the data intake and query system. For example,referring to FIG. 33, a management console interface 3302 may display aplurality of interface elements representing various investigationtimelines stored by the network security application as part of aninvestigation list 3308.

In an embodiment, each of the plurality of interface elementsrepresenting the plurality of investigation timelines may displayvarious information related to the respective timeline. For example,each interface element may include information indicating one or moreusers assigned to the investigation timeline, a status of theinvestigation, a priority level assigned to the investigation timeline,a number of hours users have worked on the investigation timeline, alabel for the investigation timeline, etc.

In one embodiment, the graphical user interface displays one or moreaggregate metrics related to the plurality of investigation timelines.For example, as illustrated by the aggregate information panel 3304 ofFIG. 33, the one or more aggregate metrics may include a totalinvestigation count, an investigation completion leaderboard, and a killchain status.

At block 4004, a selection of a particular interface element of theplurality of interface elements is received, where the particularinterface element represents a particular investigation timeline.Referring again to FIG. 33, for example, a user may select one or moreof the interface elements from the investigations list 3308corresponding to particular investigations to view additionalinformation related to the selected investigations.

At block 4006, in response to receiving the selection of the particularinterface element, a network security application causes display of theparticular investigation timeline. For example, again in reference toFIG. 33, in response to a user selecting a particular interface elementcorresponding to a particular investigation timeline from theinvestigation list, the selected investigation timeline may bedisplayed. As illustrated in the investigations list 3308, for example,unselected interface elements from the list may initially be displayedin a collapsed state without displaying an associated timeline and, uponselection, an associated timeline may be displayed in the managementconsole interface. In another example, the selection of the particularinterface element may cause display of the particular investigationtimeline in another interface such as, for example, a timeline canvasinterface 3502 as illustrated in FIG. 35.

In one embodiment, a user may select two or more graphical interfaceelements of the plurality of interface elements corresponding to aplurality of investigation timelines, where selecting the plurality ofinterface elements causes the plurality of investigation timelines to bedisplayed juxtaposed with one another. For example, the selectedinvestigation timelines may be displayed in a stacked arrangement suchthat a user can compare the placement of events on each of therespective timelines. A juxtaposed display of a plurality ofinvestigation timelines may be useful, for example, if an analyst isattempting to determine whether two or more separate investigations maybe related. For example, a collection of network events corresponding tosecurity access violations may initially appear unrelated to one or moreanalysts and may be added as part of separate investigations. However,after viewing the separate investigations and noticing a temporalsimilarity between the events on each of the timelines, the analyst(s)may determine that the investigations are related to a same threat.

5.0. Example Embodiments

Examples of some embodiments are represented, without limitation, in thefollowing numbered clauses:

In an embodiment, a method or non-transitory computer readable mediumcomprises: identifying one or more first events stored by a data intakeand query system, each first event of the one or more first eventscorresponding to a computer network security event; identifying one ormore second events stored by the data intake and query system, eachsecond event of the one or more second events corresponding to anoccurrence of a user action recorded by the data intake and querysystem; generating a timeline view including a plurality of graphicalevent indications, the plurality of graphical event indicationsincluding (a) at least one first graphical event indicationcorresponding to an event from the first events, and (b) at least onesecond graphical event indication corresponding to an event from thesecond events; wherein each graphical indication of the plurality ofgraphical indications is configured for display at a location on thetimeline view based on a timestamp associated with a respective event;and causing display of a graphical user interface including the timelineview.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein each second event of the one or more second eventscorresponds to an entry in a workflow log, the workflow log including aplurality of log entries corresponding to user actions involving one ormore graphical user interfaces.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein each second event of the one or more second eventscorresponds to an entry in a workflow log, the workflow log including aplurality of log entries corresponding to user actions involving one ormore graphical user interfaces; causing display of a workflow log viewdisplaying information describing one or more log entries of theplurality of log entries.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein at least one graphical event indication of theplurality of graphical event indications corresponds to a plurality ofevents from a set including the one or more first events and the one ormore second events.

In an embodiment, a method or non-transitory computer readable mediumcomprises: receiving input to add a note to the timeline view; and inresponse to receiving the input to add the note to the timeline view,causing display of a graphical indication of the note at a particularlocation on the timeline view.

In an embodiment, a method or non-transitory computer readable mediumcomprises: receiving input to add a screenshot to the timeline view; andin response to receiving the input to add the screenshot to the timelineview, causing display of a graphical indication of the screenshot at aparticular location on the timeline view.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein access to the timeline view is granted a first user;receiving input from the first user to grant a second user access to thetimeline view; and granting the second user access to the timeline view;in response to receiving input selecting a priority level, associatingthe priority level with the timeline view.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the graphical user interface includes a plurality ofinterface elements; receiving an indication of an occurrence of aparticular user action involving one or more interface elements of theplurality of interface elements; and in response to receiving theindication of the occurrence of the particular user action, storing alog entry describing the particular user action in a workflow log.

In an embodiment, a method or non-transitory computer readable mediumcomprises: receiving input selecting a particular graphical eventindication from the plurality of graphical event indications, theparticular graphical event indication corresponding to a particularevent from the set including the one or more first events and the one ormore second events; and in response to receiving the selection of theparticular graphical event indication, causing display of a detail viewof the particular event.

In an embodiment, a method or non-transitory computer readable mediumcomprises: causing display of a detail view of a particular event, thedetail view of the particular event including an indication of aparticular timeline view with which the particular event is associated;receiving input selecting the indication of the timeline view; and inresponse to receiving the input selecting the indication of the timelineview, causing display of the particular timeline view, the particulartimeline view displaying a graphical indication of at least theparticular event.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein causing display of the graphical user interfaceincludes overlaying the timeline view on the graphical user interface.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the graphical user interface is a first graphicaluser interface; receiving input requesting display of a second graphicaluser interface that is different from the first graphical userinterface; and causing display of the second graphical user interfaceincluding the same timeline view.

In an embodiment, a method or non-transitory computer readable mediumcomprises: creating a portable representation of the timeline view, theportable representation including instructions for displaying thetimeline view.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the one or more first events are identified based onuser input selecting the one or more first events, and wherein the oneor more second events are identified based on user input selecting theone or more second events.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein a first event of the one or more first eventscorresponds to a detected malware infection, a security accessviolation, or network traffic.

In an embodiment, a method or non-transitory computer readable mediumcomprises: causing display of a graphical user interface including aplurality of interface elements, each interface element of the pluralityof interface elements related to one or more events stored by a dataintake and query system, each event of the one or more events related toone or more performance characteristics of one or more computingdevices; receiving an indication of an occurrence of a user actioninvolving one or more interface elements of the plurality of interfaceelements; in response to receiving the indication of the occurrence ofthe user action, storing a particular log entry in a workflow logdescribing the user action; and causing display of a workflow log viewwith the graphical user interface, the workflow log view displayinginformation describing a plurality of log entries including theparticular log entry.

In an embodiment, a method or non-transitory computer readable mediumcomprises: receiving input to add one or more particular log entries ofthe plurality of log entries displayed in the workflow log view to atimeline view; and causing display of the timeline view including one ormore graphical event indications corresponding to the one or moreparticular log entries.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the particular log entry includes a timestampindicating when the user action occurred.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the particular log entry indicates an action type ofthe user action, wherein the action type is one or more of a search, aninterface view, an alert response, an alert status change, and a dataset filter.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the user action is a search and wherein the log entryincludes a search string associated with the search.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the user action is viewing a particular interface andwherein the log entry includes an indication of a particular interfaceviewed.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the displayed plurality of log entries are sortedbased on a timestamp associated with each log entry of the plurality oflog entries.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the displayed plurality of log entries are sortedbased on an action type associated with each log entry of the pluralityof log entries.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the displayed plurality of log entries are sortedbased on a label associated with each log entry of the plurality of logentries.

In an embodiment, a method or non-transitory computer readable mediumcomprises: receiving input selecting one or more user action types tolog.

In an embodiment, a method or non-transitory computer readable mediumcomprises: receiving input selecting one or more user action types todisplay in the workflow log view.

In an embodiment, a method or non-transitory computer readable mediumcomprises: receiving input selecting a particular graphical eventindication of a plurality of graphical event indications displayed on atimeline view, the particular graphical event indication correspondingto a particular log entry of the plurality of log entries; and inresponse to receiving the selection of the particular graphical eventindication, causing display of the particular log entry in the workflowlog view.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein a particular event of the one or more eventscorresponds to a detected malware infection, a security accessviolation, or network traffic.

In an embodiment, a method or non-transitory computer readable mediumcomprises: receiving input specifying a search string for one or morelog entries in the workflow log stored by the data intake and querysystem; causing display of the workflow log view displaying a pluralityof log entry results, each log entry result of the plurality of logentry results including information matching the search string.

In an embodiment, a method or non-transitory computer readable mediumcomprises: receiving input specifying an action type filter for one ormore log entries in the workflow log stored by the data intake and querysystem; causing display of the workflow log view displaying a pluralityof log entry results, each log entry result of the plurality of logentry results including information matching the action type filter.

In an embodiment, a method or non-transitory computer readable mediumcomprises: receiving input specifying one or more timeframes for one ormore log entries in the workflow log stored by the data intake and querysystem; causing display of the workflow log view displaying a pluralityof log entry results, each log entry result of the plurality of logentry results associated with a timestamp matching at least onetimeframe of the one or more timeframes.

In an embodiment, a method or non-transitory computer readable mediumcomprises: causing display of a graphical user interface including aplurality of interface elements representing a plurality ofinvestigation timelines, each investigation timeline of the plurality ofinvestigation timelines associated with (a) one or more first eventscorresponding to computer network security events stored by a dataintake and query system, and (b) one or more second events correspondingto occurrences of user actions recorded by the data intake and querysystem; receiving a selection of a particular interface element of theplurality of interface elements, the particular interface elementrepresenting a particular investigation timeline; and in response toreceiving the selection of the particular interface element, causingdisplay of the particular investigation timeline.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein each interface element of the plurality of interfaceelements displays an indication of one or more users assigned to arespective investigation timeline.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein each interface element of the plurality of interfaceelements displays a status of a respective investigation timeline.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein each interface element of the plurality of interfaceelements displays a priority level assigned to a respectiveinvestigation timeline.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the graphical user interface displays an indicationof a total number of currently active investigation timelines.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the graphical user interface displays an indicationof a number of investigations completed by each of one or more users.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the graphical user interface displays an indicationof a kill chain status of a computer network based on a statusassociated with each of the plurality of investigation timelines.

In an embodiment, a method or non-transitory computer readable mediumcomprises: receiving a selection of a first interface element and asecond interface element of the plurality of interface elements, thefirst interface element representing a first investigation timeline andthe second interface element representing a second investigationtimeline; and in response to receiving the selection of the firstinterface element and the second interface element, causing display ofthe first investigation timeline juxtaposed with the secondinvestigation timeline.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein a particular event of the one or more first eventscorresponds to a detected malware infection, a security accessviolation, or network traffic.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein each second event of the one or more second eventscorresponds to an entry in a workflow log, the workflow log including aplurality of log entries corresponding to user actions involving one ormore graphical user interfaces.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein causing display of the particular investigationtimeline includes displaying a plurality of graphical event indications,each graphical indication of the plurality of graphical eventindications configured for display at a location on the particularinvestigation based on a timestamp associated with a respective event.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein causing display of the particular investigationtimeline includes displaying a plurality of graphical event indications,each graphical indication of the plurality of graphical eventindications configured for display at a location on the particularinvestigation timeline based on a timestamp associated with a respectiveevent; and wherein at least one graphical event indication of theplurality of graphical event indications corresponds to a plurality ofevents from a set including the one or more first events and the one ormore second events.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein causing display of the particular investigationtimeline includes displaying a plurality of graphical event indications,each graphical indication of the plurality of graphical eventindications configured for display at a location on the particularinvestigation timeline based on a timestamp associated with a respectiveevent; receiving input selecting a particular graphical event indicationof the plurality of graphical event indications, the particulargraphical event indication corresponding to a particular event from theset including the one or more first events and the one or more secondevents; in response to receiving the selection of the particulargraphical event indication, causing display of a detail view of theparticular event, the detail view of the particular event including atimestamp associated with the particular event and a label associatedwith the particular event.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein causing display of the particular investigationtimeline includes displaying a plurality of graphical event indications,each graphical indication of the plurality of graphical eventindications configured for display at a location on the particularinvestigation timeline based on a timestamp associated with a respectiveevent; receiving input selecting a particular graphical event indicationof the plurality of graphical event indications, the particulargraphical event indication corresponding to a particular event from theset including the one or more first events and the one or more secondevents; in response to receiving the selection of the particulargraphical event indication, causing display of a detail view of theparticular event, the detail view of the particular event includingdisplay of at least a portion of raw data associated with the particularevent.

In an embodiment, a method or non-transitory computer readable mediumcomprises: causing display of a detail view of a particular event fromthe set including the one or more first events and the one or moresecond events, the detail view of the particular event including aninterface component for receiving a user annotation associated with theparticular event.

In an embodiment, a method or non-transitory computer readable mediumcomprises: causing display of a detail view of a particular event fromthe set including the one or more first events and the one or moresecond events, the detail view of the particular event including aninterface component for receiving a user annotation associated with theparticular event.

In an embodiment, a method or non-transitory computer readable mediumcomprises: creating a portable representation of the particularinvestigation timeline, the portable representation includinginstructions for displaying the particular investigation timeline.

In an embodiment, a method or non-transitory computer readable mediumcomprises: receiving a selection of an assignment filter, the assignmentfilter indicating a request display of investigation timelines assignedto a particular user; wherein causing display of the graphical userinterface including the plurality of interface elements representing aplurality of investigation timelines includes causing display of onlyinterface elements representing investigation timelines assigned to theparticular user.

In an embodiment, a method or non-transitory computer readable mediumcomprises: receiving a selection of an assignment filter, the assignmentfilter indicating a request display of investigation timelines assignedto a group of users; wherein causing display of the graphical userinterface including the plurality of interface elements representing aplurality of investigation timelines includes causing display of onlyinterface elements representing investigation timelines assigned to thegroup of users.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein each interface element of the plurality of interfaceelements displays a total number of hours worked on the respectiveinvestigation timeline by users assigned to the respective investigationtimeline.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein each interface element of the plurality interfaceelements displays a number of hours worked on the respectiveinvestigation timeline by each user assigned to the respectiveinvestigation timeline.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the plurality of interface elements representing theplurality of investigation timelines are sorted based on a time eachinvestigation timeline was last updated.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the plurality of interface elements representing theplurality of investigation timelines are sorted based on a time eachinvestigation timeline was created.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the plurality of interface elements representing theplurality of investigation timelines are sorted based on a text labelassociated with each investigation timeline of the plurality ofinvestigation timelines.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the plurality of interface elements representing theplurality of investigation timelines are sorted based on a set of usersassigned to each investigation timeline of the plurality ofinvestigation timelines.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the plurality of interface elements representing theplurality of investigation timelines are sorted based on a statusassociated with each investigation timeline of the plurality ofinvestigation timelines.

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the plurality of interface elements representing theplurality of investigation timelines are sorted based on a prioritylevel associated with each investigation timeline of the plurality ofinvestigation timelines

In an embodiment, a method or non-transitory computer readable mediumcomprises: wherein the plurality of interface elements representing theplurality of investigation timelines are sorted based on one or moretags associated with each investigation timeline of the plurality ofinvestigation timelines.

Other examples of these and other embodiments are found throughout thisdisclosure.

6.0. Implementation Mechanism—Hardware Overview

According to one embodiment, the techniques described herein areimplemented by one or more special-purpose computing devices. Thespecial-purpose computing devices may be desktop computer systems,portable computer systems, handheld devices, networking devices or anyother device that incorporates hard-wired and/or program logic toimplement the techniques. The special-purpose computing devices may behard-wired to perform the techniques, or may include digital electronicdevices such as one or more application-specific integrated circuits(ASICs) or field programmable gate arrays (FPGAs) that are persistentlyprogrammed to perform the techniques, or may include one or more generalpurpose hardware processors programmed to perform the techniquespursuant to program instructions in firmware, memory, other storage, ora combination thereof. Such special-purpose computing devices may alsocombine custom hard-wired logic, ASICs, or FPGAs with custom programmingto accomplish the techniques.

FIG. 41 is a block diagram that illustrates a computer system 4100utilized in implementing the above-described techniques, according to anembodiment. Computer system 4100 may be, for example, a desktopcomputing device, laptop computing device, tablet, smartphone, serverappliance, computing mainframe, multimedia device, handheld device,networking apparatus, or any other suitable device.

Computer system 4100 includes one or more busses 4102 or othercommunication mechanism for communicating information, and one or morehardware processors 4104 coupled with busses 4102 for processinginformation. Hardware processors 4104 may be, for example, generalpurpose microprocessors. Busses 4102 may include various internal and/orexternal components, including, without limitation, internal processoror memory busses, a Serial ATA bus, a PCI Express bus, a UniversalSerial Bus, a HyperTransport bus, an Infiniband bus, and/or any othersuitable wired or wireless communication channel.

Computer system 4100 also includes a main memory 4106, such as a randomaccess memory (RAM) or other dynamic or volatile storage device, coupledto bus 4102 for storing information and instructions to be executed byprocessor 4104. Main memory 4106 also may be used for storing temporaryvariables or other intermediate information during execution ofinstructions to be executed by processor 4104. Such instructions, whenstored in non-transitory storage media accessible to processor 4104,render computer system 4100 a special-purpose machine that is customizedto perform the operations specified in the instructions.

Computer system 4100 further includes one or more read only memories(ROM) 4108 or other static storage devices coupled to bus 4102 forstoring static information and instructions for processor 4104. One ormore storage devices 4110, such as a solid-state drive (SSD), magneticdisk, optical disk, or other suitable non-volatile storage device, isprovided and coupled to bus 4102 for storing information andinstructions.

Computer system 4100 may be coupled via bus 4102 to one or more displays4112 for presenting information to a computer user. For instance,computer system 4100 may be connected via an High-Definition MultimediaInterface (HDMI) cable or other suitable cabling to a Liquid CrystalDisplay (LCD) monitor, and/or via a wireless connection such aspeer-to-peer Wi-Fi Direct connection to a Light-Emitting Diode (LED)television. Other examples of suitable types of displays 4112 mayinclude, without limitation, plasma display devices, projectors, cathoderay tube (CRT) monitors, electronic paper, virtual reality headsets,braille terminal, and/or any other suitable device for outputtinginformation to a computer user. In an embodiment, any suitable type ofoutput device, such as, for instance, an audio speaker or printer, maybe utilized instead of a display 4112.

One or more input devices 4114 are coupled to bus 4102 for communicatinginformation and command selections to processor 4104. One example of aninput device 4114 is a keyboard, including alphanumeric and other keys.Another type of user input device 4114 is cursor control 4116, such as amouse, a trackball, or cursor direction keys for communicating directioninformation and command selections to processor 4104 and for controllingcursor movement on display 4112. This input device typically has twodegrees of freedom in two axes, a first axis (e.g., x) and a second axis(e.g., y), that allows the device to specify positions in a plane. Yetother examples of suitable input devices 4114 include a touch-screenpanel affixed to a display 4112, cameras, microphones, accelerometers,motion detectors, and/or other sensors. In an embodiment, anetwork-based input device 4114 may be utilized. In such an embodiment,user input and/or other information or commands may be relayed viarouters and/or switches on a Local Area Network (LAN) or other suitableshared network, or via a peer-to-peer network, from the input device4114 to a network link 4120 on the computer system 4100.

A computer system 4100 may implement techniques described herein usingcustomized hard-wired logic, one or more ASICs or FPGAs, firmware and/orprogram logic which in combination with the computer system causes orprograms computer system 4100 to be a special-purpose machine. Accordingto one embodiment, the techniques herein are performed by computersystem 4100 in response to processor 4104 executing one or moresequences of one or more instructions contained in main memory 4106.Such instructions may be read into main memory 4106 from another storagemedium, such as storage device 4110. Execution of the sequences ofinstructions contained in main memory 4106 causes processor 4104 toperform the process steps described herein. In alternative embodiments,hard-wired circuitry may be used in place of or in combination withsoftware instructions.

The term “storage media” as used herein refers to any non-transitorymedia that store data and/or instructions that cause a machine tooperate in a specific fashion. Such storage media may comprisenon-volatile media and/or volatile media. Non-volatile media includes,for example, optical or magnetic disks, such as storage device 4110.Volatile media includes dynamic memory, such as main memory 4106. Commonforms of storage media include, for example, a floppy disk, a flexibledisk, hard disk, solid state drive, magnetic tape, or any other magneticdata storage medium, a CD-ROM, any other optical data storage medium,any physical medium with patterns of holes, a RAM, a PROM, an EPROM, aFLASH-EPROM, NVRAM, any other memory chip or cartridge.

Storage media is distinct from but may be used in conjunction withtransmission media. Transmission media participates in transferringinformation between storage media. For example, transmission mediaincludes coaxial cables, copper wire and fiber optics, including thewires that comprise bus 4102. Transmission media can also take the formof acoustic or light waves, such as those generated during radio-waveand infra-red data communications.

Various forms of media may be involved in carrying one or more sequencesof one or more instructions to processor 4104 for execution. Forexample, the instructions may initially be carried on a magnetic disk ora solid state drive of a remote computer. The remote computer can loadthe instructions into its dynamic memory and use a modem to send theinstructions over a network, such as a cable network or cellularnetwork, as modulate signals. A modem local to computer system 4100 canreceive the data on the network and demodulate the signal to decode thetransmitted instructions. Appropriate circuitry can then place the dataon bus 4102. Bus 4102 carries the data to main memory 4106, from whichprocessor 4104 retrieves and executes the instructions. The instructionsreceived by main memory 4106 may optionally be stored on storage device4110 either before or after execution by processor 4104.

A computer system 4100 may also include, in an embodiment, one or morecommunication interfaces 4118 coupled to bus 4102. A communicationinterface 4118 provides a data communication coupling, typicallytwo-way, to a network link 4120 that is connected to a local network4122. For example, a communication interface 4118 may be an integratedservices digital network (ISDN) card, cable modem, satellite modem, or amodem to provide a data communication connection to a corresponding typeof telephone line. As another example, the one or more communicationinterfaces 4118 may include a local area network (LAN) card to provide adata communication connection to a compatible LAN. As yet anotherexample, the one or more communication interfaces 4118 may include awireless network interface controller, such as a 802.11-basedcontroller, Bluetooth controller, Long Term Evolution (LTE) modem,and/or other types of wireless interfaces. In any such implementation,communication interface 4118 sends and receives electrical,electromagnetic, or optical signals that carry digital data streamsrepresenting various types of information.

Network link 4120 typically provides data communication through one ormore networks to other data devices. For example, network link 4120 mayprovide a connection through local network 4122 to a host computer 4124or to data equipment operated by a Service Provider 4126. ServiceProvider 4126, which may for example be an Internet Service Provider(ISP), in turn provides data communication services through a wide areanetwork, such as the world wide packet data communication network nowcommonly referred to as the “Internet” 4128. Local network 4122 andInternet 4128 both use electrical, electromagnetic or optical signalsthat carry digital data streams. The signals through the variousnetworks and the signals on network link 4120 and through communicationinterface 4118, which carry the digital data to and from computer system4100, are example forms of transmission media.

In an embodiment, computer system 4100 can send messages and receivedata, including program code and/or other types of instructions, throughthe network(s), network link 4120, and communication interface 4118. Inthe Internet example, a server 4130 might transmit a requested code foran application program through Internet 4128, ISP 4126, local network4122 and communication interface 4118. The received code may be executedby processor 4104 as it is received, and/or stored in storage device4110, or other non-volatile storage for later execution. As anotherexample, information received via a network link 4120 may be interpretedand/or processed by a software component of the computer system 4100,such as a web browser, application, or server, which in turn issuesinstructions based thereon to a processor 4104, possibly via anoperating system and/or other intermediate layers of softwarecomponents.

In an embodiment, some or all of the systems described herein may be orcomprise server computer systems, including one or more computer systems4100 that collectively implement various components of the system as aset of server-side processes. The server computer systems may includeweb server, application server, database server, and/or otherconventional server components that certain above-described componentsutilize to provide the described functionality. The server computersystems may receive network-based communications comprising input datafrom any of a variety of sources, including without limitationuser-operated client computing devices such as desktop computers,tablets, or smartphones, remote sensing devices, and/or other servercomputer systems.

In an embodiment, certain server components may be implemented in fullor in part using “cloud”-based components that are coupled to thesystems by one or more networks, such as the Internet. The cloud-basedcomponents may expose interfaces by which they provide processing,storage, software, and/or other resources to other components of thesystems. In an embodiment, the cloud-based components may be implementedby third-party entities, on behalf of another entity for whom thecomponents are deployed. In other embodiments, however, the describedsystems may be implemented entirely by computer systems owned andoperated by a single entity.

In an embodiment, an apparatus comprises a processor and is configuredto perform any of the foregoing methods. In an embodiment, anon-transitory computer readable storage medium, storing softwareinstructions, which when executed by one or more processors causeperformance of any of the foregoing methods.

7.0. Extensions and Alternatives

As used herein, the terms “first,” “second,” “certain,” and “particular”are used as naming conventions to distinguish queries, plans,representations, steps, objects, devices, or other items from eachother, so that these items may be referenced after they have beenintroduced. Unless otherwise specified herein, the use of these termsdoes not imply an ordering, timing, or any other characteristic of thereferenced items.

In the foregoing specification, embodiments of the invention have beendescribed with reference to numerous specific details that may vary fromimplementation to implementation. Thus, the sole and exclusive indicatorof what is the invention, and is intended by the applicants to be theinvention, is the set of claims that issue from this application, in thespecific form in which such claims issue, including any subsequentcorrection. In this regard, although specific claim dependencies are setout in the claims of this application, it is to be noted that thefeatures of the dependent claims of this application may be combined asappropriate with the features of other dependent claims and with thefeatures of the independent claims of this application, and not merelyaccording to the specific dependencies recited in the set of claims.Moreover, although separate embodiments are discussed herein, anycombination of embodiments and/or partial embodiments discussed hereinmay be combined to form further embodiments.

Any definitions expressly set forth herein for terms contained in suchclaims shall govern the meaning of such terms as used in the claims.Hence, no limitation, element, property, feature, advantage or attributethat is not expressly recited in a claim should limit the scope of suchclaim in any way. The specification and drawings are, accordingly, to beregarded in an illustrative rather than a restrictive sense.

What is claimed is:
 1. A method, comprising: causing display of one ormore identifiers, each identifier identifying an investigation timelineassociated with first data representing one or more computer networksecurity events stored by a data intake and query system, and seconddata representing one or more actions taken by a user to investigate anetwork security incident, each identifier includes an indication of oneor more users assigned to a corresponding investigation timeline;receiving a selection of a particular identifier from the displayedidentifiers; and causing display of the investigation timelineidentified by the selected identifier.
 2. The method of claim 1, whereineach identifier displays a status of a corresponding investigationtimeline.
 3. The method of claim 1, wherein each identifier displays apriority level assigned to a corresponding investigation timeline. 4.The method of claim 1, further comprising displaying an indication of atotal number of currently active investigation timelines.
 5. The methodof claim 1, further comprising displaying an indication of a number ofinvestigations completed by each of one or more users.
 6. The method ofclaim 1, further comprising displaying an indication of a kill chainstatus of a computer network, the kill chain status based on a statusassociated with a plurality of investigation timelines.
 7. The method ofclaim 1, further comprising: receiving a selection of a first identifierand a second identifier from the one or more identifiers, the firstidentifier representing a first investigation timeline and the secondidentifier representing a second investigation timeline; and in responseto receiving the selection of the first identifier and the secondidentifier, causing display of the first investigation timelinejuxtaposed with the second investigation timeline.
 8. The method ofclaim 1, wherein a particular computer network security event of the oneor more computer network security events corresponds to a detectedmalware infection, a security access violation, or network traffic. 9.The method of claim 1, wherein the user actions taken by a user toinvestigate a network security incident include one or user interactionswith a graphical user interface.
 10. The method of claim 1, wherein theuser actions taken by a user to investigate a network security incidentinclude submitting a search query.
 11. The method of claim 1, whereincausing display of the investigation timeline includes displaying aplurality of event identifiers, each event identifier of the pluralityof event identifiers configured for display at a location on theinvestigation timeline based on a timestamp associated with acorresponding event.
 12. The method of claim 1, wherein causing displayof the investigation timeline includes displaying a plurality of eventidentifiers, each event identifier of the plurality of event identifiersconfigured for display at a location on the investigation timeline basedon a timestamp associated with a corresponding event; and wherein atleast one event identifier of the plurality of event identifierscorresponds to a plurality of events from a set including the one ormore first events and the one or more second events.
 13. The method ofclaim 1, further comprising: wherein causing display of theinvestigation timeline includes displaying a plurality of eventidentifiers, each event identifier of the plurality of event identifiersconfigured for display at a location on the investigation timeline basedon a timestamp associated with a corresponding event; receiving inputselecting a particular event identifier of the plurality of eventidentifiers, the particular event identifier corresponding to aparticular event from a set of events derived from the first data andthe second data; in response to receiving the selection of theparticular event identifier, causing display of a detail view of theparticular event, the detail view of the particular event including atimestamp associated with the particular event and a label associatedwith the particular event.
 14. The method of claim 1, furthercomprising: wherein causing display of the investigation timelineincludes displaying a plurality of event identifiers, each eventidentifier of the plurality of event identifiers configured for displayat a location on the investigation timeline based on a timestampassociated with a respective event; receiving input selecting aparticular event identifier of the plurality of event identifiers, theparticular event identifier corresponding to a particular event from aset of events derived from the first data and the second data; inresponse to receiving the selection of the particular event identifier,causing display of a detail view of the particular event, the detailview of the particular event including display of at least a portion ofraw data associated with the particular event.
 15. The method of claim1, further comprising causing display of a detail view of a particularevent from a set of events derived from the first data and the seconddata, the detail view of the particular event including an interfacecomponent for receiving a user annotation associated with the particularevent.
 16. The method of claim 1, further comprising causing display ofa detail view of a particular event from a set of events derived fromthe first data and the second data, the detail view of the particularevent including a storyboard panel that displays the particular event aspart of a series of events.
 17. The method of claim 1, furthercomprising creating a portable representation of the displayedinvestigation timeline, the portable representation includinginstructions for displaying the displayed investigation timeline usingother application programs.
 18. The method of claim 1, furthercomprising: receiving a selection of an assignment filter, theassignment filter indicating a request to display investigationtimelines assigned to a particular user; wherein causing display of theone or more identifiers includes causing display of only identifiersrepresenting investigation timelines assigned to the particular user.19. The method of claim 1, further comprising: receiving a selection ofan assignment filter, the assignment filter indicating a request todisplay investigation timelines assigned to a group of users; whereincausing display of the one or more identifiers includes causing displayof only identifiers representing investigation timelines assigned to thegroup of users.
 20. The method of claim 1, wherein each identifier ofthe one or more identifiers includes a total number of hours worked onthe corresponding investigation timeline by all users assigned to therespective investigation timeline.
 21. The method of claim 1, whereineach identifier of the one or more identifiers includes a number ofhours worked on the corresponding investigation timeline for each userassigned to the respective investigation timeline.
 22. The method ofclaim 1, wherein the one or more identifiers are sorted based on a timeeach corresponding investigation timeline was last updated.
 23. Themethod of claim 1, wherein the one or more identifiers are sorted basedon a time each corresponding investigation timeline was created.
 24. Themethod of claim 1, wherein the one or more identifiers are sorted basedon a text label associated with each corresponding investigationtimeline.
 25. The method of claim 1, wherein the one or more identifiersare sorted based on a set of users assigned to each correspondinginvestigation timeline.
 26. The method of claim 1, wherein the one ormore identifiers are sorted based on a status associated with eachcorresponding investigation timeline.
 27. The method of claim 1, whereinthe one or more identifiers are sorted based on a priority levelassociated with each corresponding investigation timeline.
 28. One ormore non-transitory computer-readable storage media, storinginstructions, which when executed by one or more processors causeperformance of: causing display of one or more identifiers, eachidentifier identifying an investigation timeline associated with firstdata representing one or more computer network security events stored bya data intake and query system, and second data representing one or moreactions taken by a user to investigate a network security incident, eachidentifier includes an indication of one or more users assigned to acorresponding investigation timeline; receiving a selection of aparticular identifier from the displayed identifiers; and causingdisplay of the investigation timeline identified by the selectedidentifier.
 29. An apparatus, comprising: a display subsystem,implemented at least partially in hardware, that causes display of oneor more identifiers, each identifier identifying an investigationtimeline associated with first data representing one or more computernetwork security events stored by a data intake and query system, andsecond data representing one or more actions taken by a user toinvestigate a network security incident, each identifier includes anindication of one or more users assigned to a correspondinginvestigation timeline; an input receiver subsystem, implemented atleast partially in hardware, that receives a selection of a particularidentifier from the displayed identifiers; and wherein the displaysubsystem further causes, in response to receiving the selection of theparticular identifier, display of the investigation timeline identifiedby the selected identifier.